Man this machine was crazy ..... the attack itself was easy to understand but required a lot of detailing in order to execute ....... aaaah !!! finally rooted it ..... Thanks to all those who helped me @quas@noahcain and @s4rgey ..... and also for not spoiling the fun all the way through
was able to get into web app and see where i need to do RCE with compressed value but cant figure out why code isnt running when i replace value any tips?
Finally got the root.
Got the user 2 months back. But it took 2 months for root.
Thanks @3therk1ll buddy. Without your help I may not understand the underneath concept or made it to root.
Thanks @Puru and @dropdown We had a great private discussions about this machine. That's a nice technical stuff.
Last but not the least thanks @snowscan for this wonderful machine. Learnt a lot in the network
Awesome box, and a complete change from most other challenges! All the hints for what needs to be done are called out within the application. Looks like their fixes aren't correct! You need to expand on it a little bit and pretend to be a certain service
As everyone has said, understand the type of machine you're on, the primary services, and how they're implemented in this environment. This is a practical attack and can happen both accidentally and intentionally.
I've found the non-tcp port everyone has posted about on this thread, and I've enumerated it with every script I can find. None of them return any results whatsoever. If somebody could PM me for help with the scripts I'd appreciate it.
HOLY CRAP I'm so glad I rooted this box. I may have gone about rooting it in an unconventional way but I figured out the basic gist of it and managed to get it. Took me about 4 days but I figured it out. I learned quite a lot about a protocol I didn't have much experience in in the first place. Still though, I can't wait to see the writeups on this box after it gets retired so I can see how I managed to do it versus everyone else.
Initial foothold was straightforward, par for the course if you're used to a lot of CtF scenarios. But the privesc...man. Good challenge!
Can someone help with the payload used for ch*** parameter? Im using b**p to intercept. Then use an encoded payload with netcat listening to the port but cant get it to work. Can i please get some help? PM or here. Thanks
@Morf said:
Hi All, as Deus9 posted I am sitting in the same boat. Can someone please assist here I am banging my head against the wall. Please PM me
Did you try a simple payload (like pinging your IP with -c 2 and capturing ICMP on your tun0) to see if the pings arrive and your injection worked? If so, perhaps your payload is off or uses tools that are not on the box.
Hello guys
Ive been struggling for so long on the privesc part. I read all the papers i could find related to the attack but i fail to reproduce it on the box ><
Can someone PM me for some guidance ?
Thanks
I dont know what I'm missing on this one...Discovered s*** running and have been trying to enumerate to find serial #. MSF modules dont yield any information either. Anyone have a tip for getting user?
As mentioned by Jkr. I did a ping test and used Wi**s**** to capture the traffic. It worked but for some reason the I the n* function has no success. Please assist please PM me. Thanks
For my privilege escalation, none of the b** h****k tutorials helped. In fact, they were outright confusing because of minor mistakes. In the end, basic common sense in network troubleshooting prevailed. I'm so going to do a write-up on this to document my journey.
@HopeHasAPlace said:
hey guys so i did snmp_login from metasploit and i see it says successful.
but when I do snmp_enum everything shows up blank like this:
[+] 10.10.10.105, Connected.
[*] System information:
Host IP : 10.10.10.105
Hostname : -
Description : -
Contact : -
Location : -
Uptime snmp : -
Uptime system : -
System date : -
@HopeHasAPlace said:
hey guys so i did snmp_login from metasploit and i see it says successful.
but when I do snmp_enum everything shows up blank like this:
[+] 10.10.10.105, Connected.
[*] System information:
Host IP : 10.10.10.105
Hostname : -
Description : -
Contact : -
Location : -
Uptime snmp : -
Uptime system : -
System date : -
Comments
Man this machine was crazy ..... the attack itself was easy to understand but required a lot of detailing in order to execute ....... aaaah !!! finally rooted it ..... Thanks to all those who helped me @quas @noahcain and @s4rgey ..... and also for not spoiling the fun all the way through
I've just discovered the meaning of secretdata.txt.
Tnks to @ferreirasc for helping me on my first lab, and kudos++ to @snowscan for creating a such great challenge.
Hack N' Roll \m/
THIS IS ..... HueHueBR Team!
was able to get into web app and see where i need to do RCE with compressed value but cant figure out why code isnt running when i replace value any tips?
I just rooted the box! Kudos to @Draco123 for his amazing help!
Any hints on what secretdata.txt is ?
Finally got the root.
Got the user 2 months back. But it took 2 months for root.
Thanks @3therk1ll buddy. Without your help I may not understand the underneath concept or made it to root.
Thanks @Puru and @dropdown We had a great private discussions about this machine. That's a nice technical stuff.
Last but not the least thanks @snowscan for this wonderful machine. Learnt a lot in the network
I never worked out what that was for. Any chance of a PM to give me a hint (or a spoiler
)
Stuck at Dia****** page. Don't really know how to inject a reverse shell there. Can somebody help me ?
This machine is driving me crazy. Now tcpdump seems to only give me 74 bytes of packet data even though it says "capture size 262144 bytes"
Finally rooted it
Awesome box, and a complete change from most other challenges! All the hints for what needs to be done are called out within the application. Looks like their fixes aren't correct! You need to expand on it a little bit and pretend to be a certain service
As everyone has said, understand the type of machine you're on, the primary services, and how they're implemented in this environment. This is a practical attack and can happen both accidentally and intentionally.
Found the 2 docs but cannot login. Cant find any chesis number,
any hint?
I've yet to even get a shell on the machine.
I've found the non-tcp port everyone has posted about on this thread, and I've enumerated it with every script I can find. None of them return any results whatsoever. If somebody could PM me for help with the scripts I'd appreciate it.
Having problem with privsec, can someone sheds me some light for the b*** h*****? Need some help with v****. PM please.
I am stuck with user. I am playing with the check value but I find nothing interesting. I need a hint please
HOLY CRAP I'm so glad I rooted this box. I may have gone about rooting it in an unconventional way but I figured out the basic gist of it and managed to get it. Took me about 4 days but I figured it out. I learned quite a lot about a protocol I didn't have much experience in in the first place. Still though, I can't wait to see the writeups on this box after it gets retired so I can see how I managed to do it versus everyone else.
Initial foothold was straightforward, par for the course if you're used to a lot of CtF scenarios. But the privesc...man. Good challenge!
I got user. Thank you all
Can someone help with the payload used for ch*** parameter? Im using b**p to intercept. Then use an encoded payload with netcat listening to the port but cant get it to work. Can i please get some help? PM or here. Thanks
Hi All, as Deus9 posted I am sitting in the same boat. Can someone please assist here I am banging my head against the wall. Please PM me
Did you try a simple payload (like pinging your IP with
and capturing ICMP on your tun0) to see if the pings arrive and your injection worked? If so, perhaps your payload is off or uses tools that are not on the box.
-c 2Hello guys
Ive been struggling for so long on the privesc part. I read all the papers i could find related to the attack but i fail to reproduce it on the box ><
Can someone PM me for some guidance ?
Thanks
I dont know what I'm missing on this one...Discovered s*** running and have been trying to enumerate to find serial #. MSF modules dont yield any information either. Anyone have a tip for getting user?
Finally got this rooted! This was quite interesting and took me back to university network books and what not. Really awesome challange @snowscan !
Got root!!!!..
Got lucky since somebody is working on it...
Lost the fun..
For my privilege escalation, none of the b** h****k tutorials helped. In fact, they were outright confusing because of minor mistakes. In the end, basic common sense in network troubleshooting prevailed. I'm so going to do a write-up on this to document my journey.
Write-ups of retired machines
hey guys so i did snmp_login from metasploit and i see it says successful.
but when I do snmp_enum everything shows up blank like this:
[+] 10.10.10.105, Connected.
[*] System information:
Host IP : 10.10.10.105
Hostname : -
Description : -
Contact : -
Location : -
Uptime snmp : -
Uptime system : -
System date : -
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
ANy reason why I am getting this error?
Use s**pw**k my friend, to walk the entire MIB hierarchy starting from the root. I leave it to you to figure out how to do that.
Write-ups of retired machines
roger that