Hint for Waldo

1111214161719

Comments

  • @drUIdmoz said:
    oh shit!

    I keep getting this when trying to use the file that has extra hacker capabilities...

    *pts/0���[�
    pts/0ts/0monitor127.0.0.1���[C�$

    when I have @#$@_read_search I don't understand why I can't read what i'm trying to read....

    I am getting it too don't worry I think we just need to try harder.

    my4andle

  • Alright I want a nudge. I have broken out of jail and updated for proper exports. I am unable to get l**r working even with modified see. I am not finding anything capable of reading the file I want despite checking all of the bins. Please PM me a small hint.

    my4andle

  • edited October 2018

    Never mind got it. Not sure how I missed that earlier.

    PM for a root nudge if you find yourself pacing around the bottom of a dumpster.

    my4andle

  • Any tips for user? I am playing with BS but i can't seem to read anything worth looking at and pretty stuck atm. pms are welcome

  • PM me if you need some help on this.

  • @Calvo said:
    Any tips for user? I am playing with BS but i can't seem to read anything worth looking at and pretty stuck atm. pms are welcome

    Take a look how lists work.

  • rooted, a good enumeration is the key in all steps towards root

    feel free to PM for hints

    keresh

  • Finally got it rooted - very simple once you know what you are doing. Look into the commands you have available is my best piece of advice. If anyone would like any hints then drop me a PM.

  • Unmasked Waldo's root! Thnx for the help!

  • I got the root flag, but can't for the life of me find a way to escalate to a root shell. I was able to dump shadow, but I feel like there must be a better way then just bruteforcing some passwords. Any hints on root shell? I know I'm capable, I've tried taking a lot of different tacks, but nothing I read seems to be what I need.

  • @jfredett said:
    I got the root flag, but can't for the life of me find a way to escalate to a root shell. I was able to dump shadow, but I feel like there must be a better way then just bruteforcing some passwords. Any hints on root shell? I know I'm capable, I've tried taking a lot of different tacks, but nothing I read seems to be what I need.

    From what I've seen so far, no. Unless there's some file you can read that would give you access, but /root/ doesn't have an authorized_keys file.

  • edited October 2018

    Finally got the root.txt, thanks to the continous support from @LordRNA @atxxx .
    Tips for everyone,
    1. Hits haven in this forum is enough for priv esc but limited on first step.
    2. There will be four stages that you have to do, capabilities is at the last.
    3. BurpSuite will be your best friend for the first stage, find out on the LFI and learn more about it and it shall be enough to get you through.
    4. Stop resetting the server as other people may be half way doing something, resetting the server will not get you root.txt

    Arrexel

  • Can read the different PHP files but struggling to read anything interesting :(

  • Hii i got the ssh keys of n****y but i am not able to format it correctly, please can anyone help to format those both keys. :( i am so confused HOW do i format because googling wasn't helpful for me


    Leaning From Cracking......

  • @CrKMinD said:
    Hii i got the ssh keys of n****y but i am not able to format it correctly, please can anyone help to format those both keys. :( i am so confused HOW do i format because googling wasn't helpful for me

    are you sure you got the right key?

    Arrexel

  • edited October 2018

    @Jacker31 said:

    @CrKMinD said:
    Hii i got the ssh keys of n****y but i am not able to format it correctly, please can anyone help to format those both keys. :( i am so confused HOW do i format because googling wasn't helpful for me

    are you sure you got the right key?

    yes sir, its m*****r i fount it on /home/n****y/.**h/.m*****r (is it correct) thanks for reply

    EDIT:GOT USER !!!! feel free to pm for user trying root


    Leaning From Cracking......

  • @CrKMinD said:

    @Jacker31 said:

    @CrKMinD said:
    Hii i got the ssh keys of n****y but i am not able to format it correctly, please can anyone help to format those both keys. :( i am so confused HOW do i format because googling wasn't helpful for me

    are you sure you got the right key?

    yes sir, its m*****r i fount it on /home/n****y/.**h/.m*****r (is it correct) thanks for reply

    the key is in correct format and it has the same access to other accounts as well. Furthermore, if you got the key from php LFI, then you will need to fix the formatting. Fewof the members in this forum has already posted ways to fix the formatting. You will need them to connect to no****.

    Arrexel

  • Rooted this evening. User was harder than system IMO but don't let this fool you.. If you want to get the root flag you've gotta do some reading and digging and experimenting. Don't know how to get root shell yet but I plan on trying again.

    Hack The Box

  • edited October 2018

    Lokking for assistance with the final stages of this. I have found waldo, looking for root. Accessed as m*****r and found files that are capable of getting the root.txt but I cannot for the life of me work out how. I have compiled code and using a script that I think should work but failing. help appreciated.

    Edited: spent the whole day down a rabbit hole. I feel so stupid now,blinded by the over complicated techy approach when simple enumeration of the system would have taken less than a minute to identify.

  • edited October 2018

    Rooted. Learnt a lot, this was definitely out of my comfort zone, thanks to the creator for the great lesson ! My hints for who is struggling with this:

    ° use burp to analize everything that happens in the web app, try to play with the parameters under your control and see what happens. if you get stuck at this point, you can take inspiration from here:

    https://tipstrickshack.blogspot.com/2013/02/how-to-bypassing-filter-to-traversal_8831.html

    ° once you can bypass the filters, look around, you'll find something a little bit strange in one of the usual directories we always look at in unix systems...

    ° use what you found with "the service", but don't throw it away after that ! It will serve you again soon...

    ° once in the jail, you'll have to find a way to get out...there's not much I can say without spoiling, but you can check a very detailed guide, one of the first things you'll see if you'll google this technique. Be sure to try EVERY possibility, even those which shouldn't work...

    ° now the final part...I've seen a lot talking about capabilities here...It's not wrong, you'll need to find the tool with the right capabilities, but don't overthink too much this step ! What you can find here

    https://packetstorm.foofus.com/papers/attack/exploiting_capabilities_the_dark_side.pdf

    is far more complicated of what you really need ! Keep it very very simple in this step, and do basic enumeration. Sometimes the opposite of what we desire, is still awesome for us !

    Hope this is not spoiling, happy hacking !

    TheInnocent

    "I recognize, Mr. Reese, that there's a disparity between how much I know about you and how much you know about me. I know you'll be trying to close that gap as quickly as possible. But I should tell you... I'm a really private person."

  • big shout out to @rejoinder for pointing me in the right direction :+1

  • Rooted! This was my first Linux box- a very fun challenge. I was a little disappointed that I spent so much time reading that C source, when the final escalation turned out to be so simple.

    noahcain

  • edited October 2018

    hey, I search for root, I am on m*****r ssh, I bypass restriction, and I think I need some hint for the priv-esc. PM possible ?
    EDIT : rooted but just read the flag, no shell

  • edited October 2018

    Root! Root!

  • I guess I have figured out root just a inch away... How do I run command like /bin/sh as root... Im able to get shell but as mo***** user..

  • Same, if anyone could PM me on this I would appreciate it. I am free, but unable to get over this last hurdle. A file isn't behaving as expected either.

  • I am stuck in privesc if someone can guide me. tried everything from myside. Please PM.

  • @dybtron said:
    I am stuck in privesc if someone can guide me. tried everything from myside. Please PM.

    now stuck in jail. cant come out

  • Ok, I've read through all 15 pages of comments here. I've broken out of jail and done pretty extensive enumeration of the file permissions, and tried to pass lots of files/arguments to the things I have access to, but I'm just not finding the privesc. I appreciate any general hints anyone can toss my way.

    Shadow6

Sign In to comment.