• Can someone send me a hint regarding RCE? I have been poking the c******h parameter with little success, I can get it to modify its 'normal' purpose, to give a bit more, but can't get RCE as a whole.

  • edited December 2018

    Spoiler Removed - egre55

  • edited November 2018

    stuck on getting initial foothold. Found some interesting files and ports, but I'm not getting anything when trying to connect/interact with them. does anyone have some references that would be helpful?

    Edit: nvm my syntax was off. If you are stuck where I was check out ippsec's video on Sneaky

  • so far I have gotten user.txt and its a really fun box. I am trying to get root here, and the learning curve is high, but its very fun.

  • Hello everyone, i understand i need to use a bgp hijacking technique cause quagga service is running and tcpdump to intercept traffic passing through the router but i don't know how to do it. May someone help me ?

  • edited November 2018

    Hi currently stuck on how to manipulate the check parameter


    I just learned by myself how to do it. I'm proud of myself hahahaha

    Have: Sec+ | eJPT | eWPT
    Goal: OSCP

  • Was able to get the user.txt and I don't know what to do next. Definitely need help for getting root. TIA

    Have: Sec+ | eJPT | eWPT
    Goal: OSCP

  • Yeah, I got user without an issue.

    I've been playing around with the router service, changed the conf, and can telnet to the device but not sure where to go from here. I'm familiar with the routing protocols in use (at a Network+ level) but I'm pretty much stuck. Can I PM someone for some assistance? Thanks!

    | A+ | Net+ | Sec+ | CySA+ | CASP | CISSP |
    aut inveniam viam aut faciam

  • hello,
    pleaaaaase PM, i'm stuck in the webapp, i dont know what i'm looking for ;')
    please give me a hint.

  • edited November 2018

    Hey can anyone give a hint for RCE? I know it has something to do with c**k parameter but can't figure out how to use it (checked ) but just can't seem to figure out how...
    Edit: Got user, thanks @AverageJuan for the hint

  • @MrR3boot said:

    @opt1kz said:
    I just started poking at it, so I'm still enumerating and working on user. Is the serial number thing a dead end? Edit: It is not a dead end. Just had to enumerate more.

    Stuck at this point.

    Edit: Got it

    Hey I am stuck at this point too, can you PM me a hint?

  • Hey would anyone be willing to PM a hint with priv sec. I understand I have to do use B** h*******ing using q****** (I believe using vt**h) but I have no idea what to do....

  • edited November 2018

    Wow, finally was able to get the root flag. If you're not well versed in networking, this will be a very challenging priv esc. There were a bunch of times that I wanted to give up because I wasn't sure why things weren't working -- turns out, I just needed to try harder.

  • edited November 2018

    I'm very close on this one. Redirection complete, I have interesting traffic coming to me and I'm able to capture it, but I'm only seeing the first part of the 3 way thing - any hints?

  • After hours pulling my hair out, using nmap scripts, metasploit modules and every variation of the output of the port as a password - it came to me...find a tool you haven't used before! hey presto I'm in and off and running. Amazing what a walk to clear the head can do ;)

  • hi, i obtained the user flag quite quickly, but i cannot get the reverse shell.
    i can the reverse connection, but it keeps dropping. on the other hand the nc version used does not allow me to use the -e or -c switch...
    any help here?

    or maybe i don't have to get reverse shell to take care of mentioned african animal?

  • This was one of the most interesting boxes I’ve come across, the networking portion of this box was just excellent.
  • edited November 2018

    Go have a look there @Everlastdg , it may help for reverse shell (and maybe for other things not related to this box).
    Who knows ... maybe something will work ...


  • Rooted ... good box. Well thought out. Probably takes a lot of people out of their comfort zone.


  • Hello someone have a hint after the login to the admin web page ? . I want to get user access on the machine but the password is not the same when I try ssh connection . Help me please , i'm stuck for hours ^^

  • There is one page that stands out from the others ... perhaps burp would show something interesting


  • edited November 2018

    Spoiler Removed - egre55

  • Having trouble with the initial user flag. Found 1*1 and what should be the webapp username, but I don't know where to go from here. PM please?

  • Anyone available for some tips about RCE? I know I'm looking at the right thing, but I think I need to learn a bit more about different ways to execute it... Thanks!

  • Anyone willing to help me on the root part of Carrier . I know what to do, but lacking the knowledge to get the right syntax.

  • cbxcbx
    edited November 2018

    Struggling with syntax on webapp to get rev shell. I can read some info back already...
    Help pleasss

  • @cbx said:
    Struggling with syntax on webapp to get rev shell. I can read some info back already...
    Help pleasss

  • @CesarSilence said:

    @cbx said:
    Struggling with syntax on webapp to get rev shell. I can read some info back already...
    Help pleasss

    PM me dude

    If at first you don't succeed, google the error message

Sign In to comment.