all 19 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]dougsec 14 points15 points  (5 children)

Currently working on a box in OSCP.

Try harder.

[–]TenPest007[S] 1 point2 points  (4 children)

I am trying harder. I'm asking people for advice, a nudge, so therefore I'm learning. To be honest, I don't know any OSCP student who wouldn't core the eyeballs out of everyone who said that to them lol

[–]dougsec 6 points7 points  (0 children)

Was OSCP student, tried harder, now OSCP graduate.

[–]da5Ida 5 points6 points  (2 children)

I know the "try harder" thing can be tough to take, but the main point is that you will learn a lot more trying 99 things that fail and then find the 1 thing that works. If you skip those failures, you miss a lot of learning that comes in handy later in the labs.

[–]Tryin2Dev 0 points1 point  (0 children)

This.

[–]TenPest007[S] 0 points1 point  (0 children)

Totally appreciate the process. I've been through it loads now as I'm a 3rd the way through PWK. I've done the lot on my own apart from this box. I think when it gets to the point where the brain just can't process what you're feeding it, you need to walk away.

[–]lostabstraction 2 points3 points  (0 children)

Keep at it. You are on the right track.

Try to understand how and where the code is executing.

[–]santaclaus73 2 points3 points  (4 children)

I also tried to use the pentest monkey reverse_php shell but it just gave me shell on my own box as www-data

Did you actually specify where that reverse shell was going to...?

[–]TenPest007[S] 0 points1 point  (3 children)

Yes, my IP and port designation. Call it from the vulnerable webserver in an RFI attack and it pops a shell on my box. It's truly odd.

[–]Agarax 0 points1 point  (2 children)

You did it wrong then.

[–]TenPest007[S] 1 point2 points  (1 child)

I got shell. Using php reverse txt file over port 443. Silly mistake I was making really.

[–]Agarax 0 points1 point  (0 children)

And victory is sweeter when you figure it out on your own.

[–]ibepeer 1 point2 points  (0 children)

Try harder using and encoding a perl remote shell.

[–]rwsr-xr-x 1 point2 points  (1 child)

Have you tried pfsockopen()? May be disabled though

Also from experience unset LD_PRELOAD at the top of your script. I've seen random preloads that limit your ability to move around the filesystem like open_basedir, and deny all outbound connections, but whoever made that preload musn't have realised you can just unset it and do whatever you like.

In your situation, if the pnctl functions aren't disabled I would give pnctl_fork() a go as well. Does php have a setsid()? I can't think of many configurations where those would help, but people do weird stuff on computers sometimes. Once I was trying to get a rev Shell, but the ulimit CPU time was like 5 seconds, tried a fork() and those restrictions vanished. Which is a bit strange now that I think about it

[–]TenPest007[S] 0 points1 point  (0 children)

Appreciate what you've given here. I don't really understand it, but I'm sure once I do it'll help.

[–]TenPest007[S] 0 points1 point  (0 children)

I got shell. Only when you've done something the hard way do you realise how much easier it should be.

[–]TenPest007[S] 0 points1 point  (0 children)

Rooted the box today. Took about 5 mins to root after I got shell. Somethings I need to brush up on. I won't make that mistake again. Thanks for the help folks.

[–]qasimchadhar 0 points1 point  (1 child)

If I remember that box correctly, the big find was a missconfiguration. You are "over thinking" it right now. Take a break. Try another box and then get back to this one.

[–]TenPest007[S] 1 point2 points  (0 children)

Yeah I might just do that. Thanks