• I can’t even work out where to start
  • edited October 2019

    Is there some problems with the server? I know how to get user, it's obvious, but it seems the cron doesn't work, because I've been waiting for hour. Or maybe I'm doing something completely wrong?

    Got root and was doing everything right. Sometimes you need to reset a machine if cron isn't working.

    Hint for root: google files that might be interesting

  • edited October 2019

    Hints for ROOT?, I'm stucked on ch******.s***

  • Type your comment> @codebear said:

    G'day all again,

    I'm getting into a rhythm of rooting boxes and as always the forum is a source of great inspiration and I always like to give back.

    Just to note for this box I'm on a private server so I didn't get any spoilers but a big shout out to @letMel00kDeepr, @LastC0de and @Apr4h for nudges on the USER portion.

    INITIAL FOOTHOLD: This is pretty straight forward, think double ext and magic bytes. I picked this up from an IPPSEC video (although I can't remember which one).

    USER: The hints in here are TOUCH and you'll need a special character ';'. Figure out where this needs to go and be patient. If you're on the free server you'll probs get this straight away.

    ROOT: Basic privesc will lead you and then read code again.

    If you need help PM me.

    what do u mean by TOUCH?

  • edited October 2019

    Finally rooted, for me the root part was the most difficult part

  • edited October 2019

    If someone stuck on getting user shell, read nc man carefully.

  • Got a low priv shell, now trying to get user. I saw when something runs, and got c*****a*****.***. Also thanks to leftovers/forumposts I get what should be done. However I cant figure out exactly what and why it should work, anyone I could PM for a hint?


  • Any chance I could get a hint on viewing Got shell as A****e, looked through c_a but not any good with understanding what it means. Think I understand the 'touch' reference but not sure how to make use of it. PM's are welcome :)

  • edited October 2019

    Type your comment> @kalagan76 said:

    I'm almost at the point were i'm going to throw my laptop out of the windows. I've been stucked for days now.

    I'm on the box as a****e and trying to get a shell as g***. I've read a lot about c*****d i*******n and understand how it work but just not in the context of the c***k_a****k.php and cron files.

    I don't understand where i could inject the command...i've try to create a file, upload a file with the command in the name, etc...

    Help!! :-(

    Same here! :(
    Can anybody help me to understand where to touch?
    DM please

  • It was mentioned earlier in this thread, the best hint for user is:

    if you can understand what the article is about you should understand what you need to do for user

  • edited October 2019

    Rooted, but I think I don't fully understand why particular input worked in root part (certain sign in passed variable/command and its usage in **c* command in ***n***a**.*h script). I would be grateful if somebody could DM me with short explanation, just to exchange experience and gain some knowledge.


  • For root, if my search was correct, CentOS team says that that technique used for privilege escalation its not an issue :D

  • Type your comment> @jish2002 said:

    I can’t even work out where to start

    Try to enumerate files and directories on the server. Maybe you find a file or a directory that stands out, that you think should not be there, then take a look at that and ponder what you can actually do.

    Remember: These boxes are made to be hacked. What you find is usually a very good hint at what you can use.

  • Ok. I still try to upload stuff on the place for uploading stuff. After a bit of googling i got that i need to change some stuff in b*** S***. The problem is that it is still not working. Can someone give me a hand? All PMs are welcome.

  • I am totally stuck with low priv access. I see u****s but whatever i upload is never there except a dot. really in need of a nudge.

  • Type your comment> @XanderCrews said:

    It was mentioned earlier in this thread, the best hint for user is:

    if you can understand what the article is about you should understand what you need to do for user

    Thanks for posting this it was really helpful. I read it on an earlier comment and it was the first useful hint I got from this thread and helped me get user.

    rooted anyone who needs help can DM me.

  • edited October 2019

    stuck at low priv esc. can i have any hints on how to PE to user?

    EDIT: got user. moving on to root. have a sensing on how i can exploit it, but having issues working the code

    EDIT: Got root entirely

    PM for hints if needed. Thank you to all those who helped me.

  • Rooted!😃
    This was a challenging but also fun box for a noob like myself, definitely learned a whole lot. Getting user was a serious struggle, but root wasn't so bad.

    Shout out to @ShayNay for all the help!

    Feel free to PM if you need any assistance with the box.
  • Hello, May somebody PM me for help?

    Much appreciated:)

  • Rooted! My first box. Was rather fun! Really enjoyed it. To get the initial shell: Trick the server to think something is something else. User: Find interesting file, see what it does. Timing is crucial. Exploit it! Root: Basic enumeration. You can also google it.

  • I'm root thanks for all :=)
    Feel free to PM if you need any hint.

  • Stuck at u****d.***, help plz to noob :)

  • if u are n00b like me its going to be pain in arse.... but trust me this box is easy and it give some cool knowledge ,,, took me 3 days for user and 10 minutes for root.{my safemade first blood record} ..thanks to all guys for their nudges
  • edited October 2019

    Spoiler Removed

  • Rooted, Thanks r0xas for your help, Feel free to PM if you need any hint.

  • Looking for a small hint, working on root. Found the script, I understand most of what its doing but unsure how to leverage this into something useful for myself

  • i have uploaded my shell using double extension, but can't get the session. the up***** dir shows "." (dot). i tried calling the file name through u******/file_name but got 404..

    help and DMs would be extremely appreciated :)

  • i more or less get how root works now, thanks @aho for your help!

  • I am totally stuck on user, cant read the u*.t file, can someone give help about this ? or give a good reference please.

Sign In to comment.