Frolic

1568101114

Comments

  • I have to say I hate and love this box! There were so many twists and turns with the getting of user portion BUT it reminded me to always try different techniques on enumeration and not to stay with just one program. It also reminded me to not ignore anything to document all the steps.

    Root access took me longer than it should have because I read the forum and wanted to do privesc without the r** route. I never did find that other method or get the other methods I thought should work to work.

    Again with priv esc it made you think of different ways/tools to get the job done without using the old standby.

    A lot of great tips already posted in the thread here about how to move about this machine.

    Have Fun with it!

  • I learned a lot...getting the initial foothold took forever though once I had it I went the extra mile to automate the "method" without relying on "the usual" tool. I did this to prepare for OSCP where "the usual" tool isn't all that much allowed during the exams. That proved to be a fun exercise. You'll find it on GitHub when you know what to look for.

    Getting root can be achieved as the initial user you'll get a shell as; I was on the right track all along but failed to address one critical part.

    Thanks @sahay for this box!

  • jkrjkr
    edited November 2018

    Finally got root on the box. What I learned on the journey? p0wny shell sucks when trying to printf bytes in hexadecimal notation. Should have gotten a proper reverse-shell earlier... :-/

  • Ive spent way to much time trying to figure out this privesc and how to exploit the binary, if anyone could help that would be greatly appreciated!

    Waffles
    | OSCP | OSWP | PenTest+ |

  • got the .?I stuck on the second string any help?

  • User done, onto root.
    Quite tedious but good stuff to learn.
    As always, if you want any hints or have questions PM me :)

  • gosh=[ any hint on index.php?

  • I wanted to hate this box, but after wading through it I think it's fantastic. What it lacks in engagement immersion, it really hammers home the basics; enumerate enumerate enumerate; research; and be creative.

  • i have the idk password and dont know where to use it :)

  • During your enumeration there must have been at least few places you remember which required creds to go any further... Think back to those and try. If you only found one, go back and have another look. If you need another nudge, PM me and let me know what you've tried.

    OzzY

  • edited November 2018

    Having issues with the !?!. code. Can someone DM me as I think I know what it is but there aren't enough characters

  • @n0tch said:
    i have the idk password and dont know where to use it :)

    My problem was that I skipped some basic enumeration. This led to missing the place to use this password. So my advise would be to check your notes to see if you really ran the most basic tools yet.

  • @asger said:

    @n0tch said:
    i have the idk password and dont know where to use it :)

    My problem was that I skipped some basic enumeration. This led to missing the place to use this password. So my advise would be to check your notes to see if you really ran the most basic tools yet.

    I've run all the basic tools I can think of. Is there a username associated with the idk password, or is it a service that only takes a password? PMs welcome for user, wanna try root on my own

    alt text

  • Finally rooted! I didn't really like the user part, but the root part was really fun.

  • @asger said:

    @n0tch said:
    i have the idk password and dont know where to use it :)

    My problem was that I skipped some basic enumeration. This led to missing the place to use this password. So my advise would be to check your notes to see if you really ran the most basic tools yet.

    @axle05 said:
    Got the password idk*********. But not sure how to proceed from there. Any hint please?

    I am stuck at the same point :( any hint is very welcome, thanks!

  • Does anyone mind helping me out in trying to figure out this esoteric bs? Done wasting my time researching pointless stuff. Thanks!

  • for password idk*********, enumerate more in a web page ;)

  • I have user, now onto root.
    I do know what to do with the r**-file but one way or the other I can't get it to work. Anyone willing to have a look at my proces/proceedings?

    center

  • I'm at user level at the moment. See 1 file that interests me, but am not able to find my way into this file to get root.

  • Some help on the !?. code would be appreciated. PM me :)

    WillIWas

  • @kekra said:

    @l30n said:
    Yeah someone told me you can do everything on the machine as a www-data user? Can anyone verify that?

    Yes - no escalation to another user required for rooting the box!

    To everybody struggling with priv esc: I'd recommend again to search for videos on retired boxes that required the same type of BOF - and to practice with one of these boxes if you are VIP.
    For me, those videos were the best and fairly self-contained 'step-by-step' tutorials for that method. If you rooted one of the old boxes, you should be able to use your old exploit script as a template!

    No I get that, Do you have to be one of the two other low priv users other than www-data for the ROP privesc? Privesc is a real PITA IMO, def not like SLMail or Crossfire BF. It takes some creativity. The box doesn't have gdb installed. Id there another tool on this box I'm missing since others have done this without having to download anything to their own machine?

    Huejash0le

  • @l30n said:

    @kekra said:

    @l30n said:
    Yeah someone told me you can do everything on the machine as a www-data user? Can anyone verify that?

    Yes - no escalation to another user required for rooting the box!

    To everybody struggling with priv esc: I'd recommend again to search for videos on retired boxes that required the same type of BOF - and to practice with one of these boxes if you are VIP.
    For me, those videos were the best and fairly self-contained 'step-by-step' tutorials for that method. If you rooted one of the old boxes, you should be able to use your old exploit script as a template!

    No I get that, Do you have to be one of the two other low priv users other than www-data for the ROP privesc? Privesc is a real PITA IMO, def not like SLMail or Crossfire BF. It takes some creativity. The box doesn't have gdb installed. Id there another tool on this box I'm missing since others have done this without having to download anything to their own machine?

    I used only default tools available on the box for getting the required addresses, the same tools that ippsec usually uses. You can do anything on Frolic, and I did not escalate to another user

  • @dionero said:
    The first part really really sucks, but I learned something from both the user part and the privesc.

    I think IppSec's October video might help anyone struggling with privesc.

    Rooted because of this hint. It has everything you need to get priv esc.

    I really disliked the first part of this box, but the priv esc part made it all good again because this was my first BOF box.

  • My fist machine where I had to mess with a file. The start was a but "dull". Not as expected. But after passing that and having user (what was quite easy)... But then root came along....

    I have to thank @ippsec for his video's.

    If you follow the steps. It's an easy machine. Thanx @sahay

  • An ok box, hated the first part where i was guessing the entire time, and loved the BOF challenge, it was a matter of minutes, a simple ROP technique was required since ASLR was disabled

  • Hey could anyone give me a hint for where to use the idk***** password (where to find a username??).
    I understand I need to be looking through http enum but I have not found anything (I found a username and password that doesn't seem to get into anything)...

  • As far as the idk**** password enumerate AGAIN with gobuster/dirb/dirbuster or your favorite guess the dirs tool sometimes this box needs reset as it returns 500's for unknown reason, just reset it

  • @avetamine said:
    As far as the idk**** password enumerate AGAIN with gobuster/dirb/dirbuster or your favorite guess the dirs tool sometimes this box needs reset as it returns 500's for unknown reason, just reset it

    Is this comment correct? Can someone else confirm that there a problem with this box? I am stack at the same point.

    Arrexel

  • what do you mean?
  • @Akumu said:

    @avetamine said:
    As far as the idk**** password enumerate AGAIN with gobuster/dirb/dirbuster or your favorite guess the dirs tool sometimes this box needs reset as it returns 500's for unknown reason, just reset it

    Is this comment correct? Can someone else confirm that there a problem with this box? I am stack at the same point.

    If you get this error reset the box. This means you spammed too hard.

    Baikuya
    OSCP

Sign In to comment.