@Shadow6 said:
Ok, I've read through all 15 pages of comments here. I've broken out of jail and done pretty extensive enumeration of the file permissions, and tried to pass lots of files/arguments to the things I have access to, but I'm just not finding the privesc. I appreciate any general hints anyone can toss my way.
Figured out that I know nothing about capabilities, so its back to Linux 101. #Noob
@Shadow6 said:
Ok, I've read through all 15 pages of comments here. I've broken out of jail and done pretty extensive enumeration of the file permissions, and tried to pass lots of files/arguments to the things I have access to, but I'm just not finding the privesc. I appreciate any general hints anyone can toss my way.
Figured out that I know nothing about capabilities, so its back to Linux 101. #Noob
Got the #Root flag!! Like everyone else has said, the capability is there, and it's really easy once you figure it out. The only thing for me is that I didn't even know this was a thing. I have learned a lot in this one. Thanks to the Builder for the creative box and great learning experience!!
I'm stuck on what do after getting filesystem read access, I've been going through the files in the usual suspect directories but haven't unlocked the next step to getting shell access. Can anyone PM me a hint?
@nsubram1 said:
I'm stuck on what do after getting filesystem read access, I've been going through the files in the usual suspect directories but haven't unlocked the next step to getting shell access. Can anyone PM me a hint?
Enumerate more, there is a file in the home directory that sticks out like a sore thumb. Also try reading this thread over and over again, some great advice in here.
hey there! just rooted the box but i didn't get a proper root shell. i'd have an idea on how to do it but it just doesn't work. did anyone manage to get a full root shell?
I found the user file, when I use dirRead with the correct path I can read the directory contents but when I use the fileRead with the correct filepath I see the response {"file":false}. What could be going wrong here?
@nsubram1 said:
I found the user file, when I use dirRead with the correct path I can read the directory contents but when I use the fileRead with the correct filepath I see the response {"file":false}. What could be going wrong here?
Work out how fileRead works and dont focus so much on the user.txt, instead take a very good look at the users directory, everything you need is in it.
Rooted. I spent a long time chasing my tail for the final privesc. Lots of good hints of course, but they make a lot more sense once you've achieved whatever is being alluded to. Best advice is just to enumerate.
I'm having trouble with the initial foothold ... I tried directory traversal, adding scripts to the lists but filters are too strong and I can't get anywhere
@drywaterv2 said:
I'm having trouble with the initial foothold ... I tried directory traversal, adding scripts to the lists but filters are too strong and I can't get anywhere
Look at the source, from there figure out what file it calls and with what parameters.
Hi guys! i'm having problems how to read the files at the first stage. I can get to the user file location(.m*****) using B**** but i do not know how to read the file. Can anyone help me? pm please. Thanks
i've got to the part where i've escaped the restricted thing, but i can't execute get/setcap, like everyone is mentioning in this thread. what am i missing?
@drywaterv2 said:
I'm having trouble with the initial foothold ... I tried directory traversal, adding scripts to the lists but filters are too strong and I can't get anywhere
Look at the source, from there figure out what file it calls and with what parameters.
I already know these, but I can't manage to perform the local file inclusion, and I don't even know where to go when I manage to
Can someone pm me for tips and tricks? Tried several things but stuck on user. I have lot of question, its not my mention to root this box but know several technics to get closer... thx
@evandrix said:
i've got to the part where i've escaped the restricted thing, but i can't execute get/setcap, like everyone is mentioning in this thread. what am i missing?
Comments
Figured out that I know nothing about capabilities, so its back to Linux 101. #Noob
Got the #Root flag!! Like everyone else has said, the capability is there, and it's really easy once you figure it out. The only thing for me is that I didn't even know this was a thing. I have learned a lot in this one. Thanks to the Builder for the creative box and great learning experience!!
I'm stuck on what do after getting filesystem read access, I've been going through the files in the usual suspect directories but haven't unlocked the next step to getting shell access. Can anyone PM me a hint?
Enumerate more, there is a file in the home directory that sticks out like a sore thumb. Also try reading this thread over and over again, some great advice in here.
hey there! just rooted the box but i didn't get a proper root shell. i'd have an idea on how to do it but it just doesn't work. did anyone manage to get a full root shell?
I found the user file, when I use dirRead with the correct path I can read the directory contents but when I use the fileRead with the correct filepath I see the response {"file":false}. What could be going wrong here?
Work out how fileRead works and dont focus so much on the user.txt, instead take a very good look at the users directory, everything you need is in it.
edit: Finally got root, great box!
Rooted. I spent a long time chasing my tail for the final privesc. Lots of good hints of course, but they make a lot more sense once you've achieved whatever is being alluded to. Best advice is just to enumerate.
Stop of reset the machine
soo ... this pre-user syntax is killing me ... can traverse dirs, see the content but did not figured out the file read syntax ... any hints ?
How to get the initial shell i have found 2 directories in var www - html and localhost but can't read localhost stuck here could you help me
edited: got initial shell up for root
edit:
Got root finallythanks everyone for the help...
Done. Got root. It was very silly as compared to the rnd i was doing
Out of the jail but still wandering around!!!Anyone available to talk about this machine?
WTFFFF This machine is awesome!!!. I have learned a lot!! When you get out from de jail and enable some commands take a read of this
https://packetstorm.foofus.com/papers/attack/exploiting_capabilities_the_dark_side.pdf
Thanks to @IteXss
Can anyone ping me a clue? I am in the privesc stage and already out of jail.
I'm having trouble with the initial foothold ... I tried directory traversal, adding scripts to the lists but filters are too strong and I can't get anywhere
Look at the source, from there figure out what file it calls and with what parameters.
Hi guys! i'm having problems how to read the files at the first stage. I can get to the user file location(.m*****) using B**** but i do not know how to read the file. Can anyone help me? pm please. Thanks
Edit: go the file .Thanks
finally got it! thanks to all those whom helped!
found an article which might be useful for the last mile after you break out of jail.
https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/
Hope it helps!
i've got to the part where i've escaped the restricted thing, but i can't execute
get/setcap, like everyone is mentioning in this thread. what am i missing?I already know these, but I can't manage to perform the local file inclusion, and I don't even know where to go when I manage to
Nevermind, I managed to get it working
@drywaterv2 try to use burp and see what happened
can't get the c*p bins to run in m*****r in order to PE - "No such file or directory"
should i continue trying in this direction?
Got user. It was so easy yet I spent way too much time on it, I feel stupid
Can someone pm me for tips and tricks? Tried several things but stuck on user. I have lot of question, its not my mention to root this box but know several technics to get closer... thx
check your PATH
stuck on root, any hints?
Just out of curiosity... are people really becoming physical root or just taking the flag and calling it a day ?
Root shell is not possible. People are only getting the flag and calling it "root"