Official Ready Discussion

13468912

Comments

  • @acetum said:

    I feel your pain. I'm stuck at the same place too. Foothold was pretty straightforward, but can't seem to find anything useful to keep going.

    If you have a shell on the box, enumeration is really important.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited December 2020

    Type your comment> @TazWake said:


    If you have a shell on the box, enumeration is really important.

    yes. I haven't given up, I'm still looking!

    EDIT: found it! Gotta read every line...

  • Can someone please PM me on how to get root? I'm stuck and I'm spinning circles here. Thank you

  • @enixium said:

    Can someone please PM me on how to get root? I'm stuck and I'm spinning circles here. Thank you

    I've sent you a message.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • This should really be an easy box.

    User: Google
    Root: Enumerate / grep
    D***** escape: Enumerate what you can do with a root account.

  • I've got user flag and had a shell with user account. but when i trying to su it just tell me su: must be run from a terminal anyone who can give me some hints. many thanks :smile:

  • edited December 2020

    User: burp your baby, read the exploit, search for keywords
    Stabilize the shell because you can't stand terminals without prompts like me:
    script -c "/bin/bash -i" /dev/null
    root: ***-260 + grep is your friend.
    root flag: "Do you think that's air you're breathing now?" Check if your elbow is percussive

  • I've got user and r_p. Don't know where to use it. Can anyone help me with further steps

  • @thePr0fessor said:

    I've got user and r_p. Don't know where to use it. Can anyone help me with further steps

    I am not sure what r_p is.

    If you have the user flag, privesc is largely enumeration.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @thePr0fessor said:

    I've got user and r_p. Don't know where to use it. Can anyone help me with further steps

    I am not sure what r_p is.

    If you have the user flag, privesc is largely enumeration.

    I think we're on the same page, stuck on privesc. Hes referring to the /r_p file.

    need help as well,
    I used a public exploit for the foothold, shell prompts for g** user, is this the right path? i managed to came across with the /***/b***** directory, my gut says this is the right path to privesc however no idea how to use these information. can someone confirm this?

  • @bigoteman said:

    Type your comment> @TazWake said:

    @thePr0fessor said:

    I've got user and r_p. Don't know where to use it. Can anyone help me with further steps

    I am not sure what r_p is.

    If you have the user flag, privesc is largely enumeration.

    I think we're on the same page, stuck on privesc. Hes referring to the /r_p file.

    I suspect that is a rabbit hole.

    need help as well,
    I used a public exploit for the foothold, shell prompts for g** user, is this the right path? i managed to came across with the /***/b***** directory, my gut says this is the right path to privesc however no idea how to use these information. can someone confirm this?

    Yes, that is the right path. If you read through it, you will have an idea what to do.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • If you have shell as the g** user you are on the right path. Next, enumerate to find something which will help you switch to a more powerful user. E.g. do any config files contain a credential you could use?
  • Type your comment> @TazWake said:

    @bigoteman said:

    Type your comment> @TazWake said:

    @thePr0fessor said:

    I've got user and r_p. Don't know where to use it. Can anyone help me with further steps

    I am not sure what r_p is.

    If you have the user flag, privesc is largely enumeration.

    I think we're on the same page, stuck on privesc. Hes referring to the /r_p file.

    I suspect that is a rabbit hole.

    need help as well,
    I used a public exploit for the foothold, shell prompts for g** user, is this the right path? i managed to came across with the /***/b***** directory, my gut says this is the right path to privesc however no idea how to use these information. can someone confirm this?

    Yes, that is the right path. If you read through it, you will have an idea what to do.

    yup its a rabbit hole --___--. got root! thank you!

    @camk said:
    If you have shell as the g** user you are on the right path. Next, enumerate to find something which will help you switch to a more powerful user. E.g. do any config files contain a credential you could use?

    Thank you for the tip! :wink:

  • edited December 2020

    Type your comment> @bigoteman said:

    Type your comment> @TazWake said:

    @bigoteman said:

    Type your comment> @TazWake said:

    @thePr0fessor said:

    I've got user and r_p. Don't know where to use it. Can anyone help me with further steps

    I am not sure what r_p is.

    If you have the user flag, privesc is largely enumeration.

    I think we're on the same page, stuck on privesc. Hes referring to the /r_p file.

    I suspect that is a rabbit hole.

    need help as well,
    I used a public exploit for the foothold, shell prompts for g** user, is this the right path? i managed to came across with the /***/b***** directory, my gut says this is the right path to privesc however no idea how to use these information. can someone confirm this?

    Yes, that is the right path. If you read through it, you will have an idea what to do.

    yup its a rabbit hole --___--. got root! thank you!

    @camk said:
    If you have shell as the g** user you are on the right path. Next, enumerate to find something which will help you switch to a more powerful user. E.g. do any config files contain a credential you could use?

    Thank you for the tip! :wink:

    Got root. have no idea about escaping maybe a nudge would help

  • @thePr0fessor said:

    Got root. have no idea about escaping maybe a nudge would help

    Escape the thing you are in.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • i'm having trouble with user, i have g** user shell, but enumeration feels endless, i'm not finding anything useful :/ any help?

  • @ShadowSuave said:

    i'm having trouble with user, i have g** user shell, but enumeration feels endless, i'm not finding anything useful :/ any help?

    Its worth looking for an optional folder which isn't normally on a system. Look inside it.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Can anyone help me figure out how to escape? i'm assuming i need to use a certain password to su but i'm really struggling to get a tty. this isn't something i've done before so i might be missing something obvious but all the techniques i've come across aren't installed on the box. Can anyone give me an idea about what i should be looking into?

  • @Arty0m said:

    Can anyone help me figure out how to escape? i'm assuming i need to use a certain password to su but i'm really struggling to get a tty. this isn't something i've done before so i might be missing something obvious but all the techniques i've come across aren't installed on the box. Can anyone give me an idea about what i should be looking into?

    They might be installed on the box.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Hello all. I am rooted in the D***** C********, however, all the exploits I have found point to use C code. It doesnt have gcc or make in the C********. Any tips?

  • Simple movement here
    Foothold: what is that on that high port and find yourself exploit for it
    root: Dig thru files try everything juicy in them to escalate then basic escape done.

  • @ealcorey4 said:

    Hello all. I am rooted in the D***** C********, however, all the exploits I have found point to use C code. It doesnt have gcc or make in the C********. Any tips?

    You dont need to build anything for this privesc.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • ROOTED. Easier than Laboratory.
    Write me for nudges!

  • Rooted, thanks to the valuable tips on this post.

    My biggest struggle was to obtain a stable shell that allowed me to switch user
    (script -c "/bin/bash -i" /dev/null worked out)

  • Hello, it is my first box and I am struggling a lot to find a way to have a shell. I found on Google how to exploit it. I found 2 differents scripts which are working. Nothing happen on my nc console when the script succeed ! I dont know what is wrong !!! Does somebody already have this ? If someone can help me PM me please. Thanks and a happy new year to everybody !!!

  • Type your comment> @busshi said:

    Hello, it is my first box and I am struggling a lot to find a way to have a shell. I found on Google how to exploit it. I found 2 differents scripts which are working. Nothing happen on my nc console when the script succeed ! I dont know what is wrong !!! Does somebody already have this ? If someone can help me PM me please. Thanks and a happy new year to everybody !!!

    Hi, I found 3 scripts but none of them worked without some modifications (including bugs). Have you checked the payload to get the shell is correctly delivered? if you need more concrete help just dm me.

  • edited January 2

    Pwned machine! yeah!

    hint:
    root: grepping hard
    web: check google for vulnerability.

  • edited January 2

    Very interesting box. Definitely new concepts that we don't often see in the CTFs. FULL of rabbit holes.

    One issue; Found the user password but when I tried it at first it didn't work so spent a couple unnecessary hours digging deeper.... *bangs head... anyway, came back to things with a reset box and the password worked. Someone must have changed it for some reason that breaks my heart. haha.

    Foothold -check
    user- check
    rooted- check

    As has been said, Hacktricks will help with true root. Getting user may take longer than actual root if you don't search properly. It's not a place that is often seen here so think outside the box. and look at everything. rabbit holes for days...

  • Type your comment> @ThymineDNA said:

    Rooted, thanks to the valuable tips on this post.

    My biggest struggle was to obtain a stable shell that allowed me to switch user
    (script -c "/bin/bash -i" /dev/null worked out)

    python3 -c 'import pty; pty.spawn("/bin/sh")' ??

  • Rooted! Great box i learned so much.
    Special thanks for opening my eyes. You think that's air your breathing.
    @professormoody
    @ThymineDNA

    @likelytarget had the best foot to root hints

Sign In to comment.