Hint for Waldo

18911131419

Comments

  • Got root.txt after lots of hours. The privesc part was something new for me, what a hard learning class. As others, I love and hate this box at the same time, thanks to the makers.

    Tip for the privesc: Don't expect to find the exact solution in exploiting_capabilities_the_dark_side.pdf. Take it only as an introduction to capabilities. The solution is easier than that, think and search a bit on the box.

  • So has anyone actually got root (not just accessed the root.txt file)? If so, can you PM me to point to how you did it?

  • edited September 2018

    Got root ! It push at the limit of your capabilities !
    BUT i've learned a lot of excellent things !

    Jugulairel

  • Got root.txt rolf, what a nice box on the privesc, pushing me to learn new things, I've never seen it before :+1:

    Anyone who want some help, just ask!

    Cheers!

  • I've just figured out that some days ago an specific enumeration tool was updated with new capabilities. Update your enumeration tools before use them for the privesc part ;-)

  • I think I'm jailed..... I want to break free :), but no idea how to do it. Usual rshell bypass techniques didn't work. Could someone please lend me a hand?. PM please.

  • I took a break from this, re-traced what I did and found waldo. Yay me.

  • I'm stuck on user n*****, unsure what steps to take next - there is a lot of talk about user m****** - do I need to be that user to obtain root? PMs for hints would be much appreciated.

    Disloquer

  • edited September 2018

    Get root! After a good sleep and hours of researching! The way to read root file is a hidden way for me. A search command solved my problem in 1 minutes. There are so much files and folders make you thinking inside the box
    Learned a lot from this box. Enumerating is never enough.
    p/s: This is an interesting privilege escalation vector

  • edited September 2018

    I am stuck. I am user n*****, and I found the SS* credentials of the user m****** but the problem is that I cannot login using those credentials (I tried using the famous metasploit module that helped me login to the user n***** as well). Probably the problem is that I don't know something that I should. If someone could PM me and give me a hint (not a solution - spoiler) towards the correct direction, it would be great! Thank you!

    EDIT: I just found my mistake, God, i am so stupid. You don't need to login externally with ssh, but rather "internally" using a standard ssh command.

    Revolution

  • help on initial start point?

  • found a vulnerability ;) !

  • I have the thing, i can read files and directories, but i dont know what to do... would i find id_rsa for ssh or maybe try to get a reverse shell before?? hints by pm please :)

  • Fun box, but the priv esc was a little boring. Or at least the way that I got the flag was. I'd be interested to play around more and hear about other options for actually getting a root shell if anybody has any.

    --Skunkfoot

  • @Skunkfoot said:
    Fun box, but the priv esc was a little boring. Or at least the way that I got the flag was. I'd be interested to play around more and hear about other options for actually getting a root shell if anybody has any.

    Server has radare2 1.1 on it. I think there are some tricks can be done with it, using l**M**** but i have never tried.

  • stuck in getting root, tried to research about capabilities, but seem there is no set*** / get*** commands to check the file capabilities. tried to look at the text editors, but totally no idea. would appreciate if anyone can give me some hints? thanks

  • @meowzilla said:
    stuck in getting root, tried to research about capabilities, but seem there is no set*** / get*** commands to check the file capabilities. tried to look at the text editors, but totally no idea. would appreciate if anyone can give me some hints? thanks

    If you're out of the "jail" then all commands are available assuming your PATH is sorted.

  • Could someone PM me with some hints to move me forward. I'm logged in as user n*****. I see people talking about moving onto user m******, but I have not seen that user on my travels.

    I see that this machine is a D*cr container. I also see people talking about breaking out. I assume this is breaking out of D*cr?

    Any tips appreciated to get me moving forward!

    Hack The Box

  • edited September 2018

    hi guys I need a help on this macine, I can write some php code in /.list/list11 but i don't know how to exec it. I have got all sources files but i can't find the way.

  • OK thats the second time I've overlooked the same private key, but looked at every other file ><. Haha

    Hack The Box

  • edited September 2018

    Rooted. Thanks for the hints in this post - they are enough to get you through the box. The only tips I would give would be to read all these posts over and over and to read everything in .ssh folders! Not just some of the files :D

    Hack The Box

  • > @MindOverflow42 said:
    > hi guys I need a help on this macine, I can write some php code in /.list/list11 but i don't know how to exec it. I have got all sources files but i can't find the way.

    So you cant execute code but you can read files.....maybe there's something useful you can find.
  • @safin said:
    can someone tell me how to login to ssh
    it just gave me
    Load key "key": invalid format
    and
    Permission denied (publickey).

    Hi, I have your same issue did you find a solution?

  • @flexkid said:

    @safin said:
    can someone tell me how to login to ssh
    it just gave me
    Load key "key": invalid format
    and
    Permission denied (publickey).

    Hi, I have your same issue did you find a solution?

    no what about you ?

  • edited September 2018
    If something is an invalid format check there are no bad characters. Look for \t and \/.

    If trying to ssh -i you should be passing the private key

    Hack The Box

  • Had the same thing at first, then i just subsituted

    ":%s/\\n/\r/g"

    I had to also substitute backslashes

    ":%s/\\//g"

    (when done in vim... sed is probably slightly different).
    The key should then be in the proper format

  • @safin said:

    @flexkid said:

    @safin said:
    can someone tell me how to login to ssh
    it just gave me
    Load key "key": invalid format
    and
    Permission denied (publickey).

    Hi, I have your same issue did you find a solution?

    no what about you ?

    Nothing still stuck

  • @Underworld said:
    If something is an invalid format check there are no bad characters. Look for \t and \/.

    If trying to ssh -i you should be passing the private key

    Thanks for the suggestion I think I fixed that issue but now I have this error:
    m*****@....: Permission denied (publickey).
    I tried with the other user no**** but nothing do you have any hint ?

  • edited September 2018

    @ZaphodBB said:
    Just getting initial foothold - unless Im completly mistaken and I'm barking up the wrong tree, it seems to me like the detaisl for initial users are gained by directory traversal - php explitation.

    @ZaphodBB I am able to list

  • edited September 2018

    I am able to list the contents of all the folders but can't retrieve the keys, keeps giving me a false entry

Sign In to comment.