TUTORIAL Pit - Discussion
by chilly - May 15, 2021 at 09:18 PM
#1
Wink 
lets do it so far 1hr and no blood
#2
well got rce, still trying to break out of www-data user
#3
(May 16, 2021 at 11:40 AM)chilly Wrote: well got rce, still trying to break out of www-data user

any advice to get the rce back to us?
#4
got user :D
now on to root

(May 16, 2021 at 11:50 AM)inferno7us Wrote:
(May 16, 2021 at 11:40 AM)chilly Wrote: well got rce, still trying to break out of www-data user

any advice to get the rce back to us?

find another dns name, use the username and path to a cms u find from snmp use that user to log in. once logged in youll find an exploit for cmd execution
#5
(May 16, 2021 at 12:34 PM)chilly Wrote: got user :D
now on to root

(May 16, 2021 at 11:50 AM)inferno7us Wrote:
(May 16, 2021 at 11:40 AM)chilly Wrote: well got rce, still trying to break out of www-data user

any advice to get the rce back to us?

find another dns name, use the username and path to a cms u find from snmp use that user to log in. once logged in youll find an exploit for cmd execution

ya and for shell?
#6
and rooted. snmp sucks.
#7
(May 16, 2021 at 12:34 PM)chilly Wrote: got user :D
now on to root

(May 16, 2021 at 11:50 AM)inferno7us Wrote:
(May 16, 2021 at 11:40 AM)chilly Wrote: well got rce, still trying to break out of www-data user

any advice to get the rce back to us?

find another dns name, use the username and path to a cms u find from snmp use that user to log in. once logged in youll find an exploit for cmd execution

how to get password for that user
#8
Free writeup at boot2root.com
#9
(May 16, 2021 at 12:34 PM)chilly Wrote: got user :D
now on to root

(May 16, 2021 at 11:50 AM)inferno7us Wrote:
(May 16, 2021 at 11:40 AM)chilly Wrote: well got rce, still trying to break out of www-data user

any advice to get the rce back to us?

find another dns name, use the username and path to a cms u find from snmp use that user to log in. once logged in youll find an exploit for cmd execution

So i have the digital media server dns (http://dms-pit.htb/) and i got the username "michelle" with snmp (snmpwalk -v2c walk -v2c -c public machineip nsExtendObjects)
But how would i log in, i dont find any path to a cms in snmpwalk. Could you write a detailed explanation of how you came to the login page or how you just did
#10
Yeah I'm not understanding how people are finding a path to a CMS from snmpwalk. I've looked at the output of that for a while now and don't see anything useful but maybe I'm blind?
#11
(May 16, 2021 at 05:52 PM)0xyikers Wrote: Yeah I'm not understanding how people are finding a path to a CMS from snmpwalk. I've looked at the output of that for a while now and don't see anything useful but maybe I'm blind?

when you access dns-pit.htb it says 403 forbidden, that means there must some other directory which we can find and access. So, when you run snmpwalk you'd get a bunch for Information. From that information you will find the path of dms, that is /var/www/html/seeddms51x/seeddms". So, you can access the dms, by appending the directory to dms-pit.htb. 

dms-pi.htb/seeddms51x/seeddms. 

From the same SNMP dump data you will also find a username called michelle. You use it as username and password to access the seeddms dashboard.
#12
(May 16, 2021 at 06:21 PM)rasengan Wrote:
(May 16, 2021 at 05:52 PM)0xyikers Wrote: Yeah I'm not understanding how people are finding a path to a CMS from snmpwalk. I've looked at the output of that for a while now and don't see anything useful but maybe I'm blind?

when you access dns-pit.htb it says 403 forbidden, that means there must some other directory which we can find and access. So, when you run snmpwalk you'd get a bunch for Information. From that information you will find the path of dms, that is /var/www/html/seeddms51x/seeddms". So, you can access the dms, by appending the directory to dms-pit.htb. 

dms-pi.htb/seeddms51x/seeddms. 

From the same SNMP dump data you will also find a username called michelle. You use it as username and password to access the seeddms dashboard.

From regular snmpwalk and the nsextend, I don't see any references to seeddms, is there a module you use with SNMP to get to that? I appreciate the reply, still trying to figure out where in snmpwalk you're seeing seeddms path info.

much love

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Fingerprint [Discussion] TDis7 22 1,422 12 minutes ago
Last Post: harry123
TUTORIAL HTB Anubis Discussion dadamnmayne 167 55,729 49 minutes ago
Last Post: xvelasco
TUTORIAL HTB Stacked [Discussion] pheonix2021 92 29,872 December 04, 2021 at 06:12 PM
Last Post: HDplus

 Users browsing this thread: 1 Guest(s)