Celestial hint

@penumbra said:
Ignore, got it.

If you need a hint check out /var/log/syslog

This was the most helpful thing.

Feel free to PM for nudges

@MRKR said:

@Mnmnmnnm said:
Can I PM someone about the payload? Really have trouble here, it looks like I’m missing something. It should work since I followed the article.

Same here, having issues with payload :angry:

PM me if you need help with the payload.

@Pancakes said:
can somone pm me on getting a shell atleast? i have NO IDEA what to do. cant find any useful informasjon. please help me

You may have luck with reading up on the un-(incorrect spelling of breakfast food commonly put in a bowl with milk) bug.

ok. nice description

Rooted. I made it way harder than it really is.

Edit: Got root. My biggest hint is avoid using port 1337 since that’s what openvpn is using to connect… kept knocking myself offline like an idiot. PM me if you need help with this one!

This web app server running in this box is single threaded, so if one user exploits it and gets shell, it’s one threaded processing loop hangs on this particular request - thats why this machine is super unstable and “resetable”

@sh4nk said:
once you have enumerated enough

patience is the key with this one with priv esc !!

This got me thinking in the right direction and after that rooting the machine was easy.

why the port is filtered ,i cant reach the machine

[.] starting
[.] checking distro and kernel versions
[~] done, versions looks good
[.] checking SMEP and SMAP
[-] SMAP detected, no bypass available

working with priv esc :frowning:

UPDATE : Solved now … with full root reverse shell :slight_smile:

Rooted - interested to know what other methods exist though.

stuck trying to get root? tried the running the repeater and get the following: undefined + undefined is NaN ?? could use some help.

Okey, gonna put a great hint here and try not to give spoiler on the root.txt.

Once you are in, you need to modify a file which allows you to run command as root. When I did it that time, I used to for transport rather than escalation. For some who has been asking whether to have a full escalation, technically it is possible. Think venom… and reverse…

I didn’t go that step because I just wanted to capture the root flag, so I cut short the process.

Any hints about the prev esc ?

@Klamby said:
Rooted - interested to know what other methods exist though.

If you have the root flag, check this (password protected)

@c4u53 said:
Any hints about the prev esc ?

Check the content in the log folder to detect interesting way

I keep getting “invalid username type” error. Having trouble adding the username to the code. Can someone please help me with this?

@OTG said:
I keep getting “invalid username type” error. Having trouble adding the username to the code. Can someone please help me with this?

ignore it… and continue…

@SimVirus said:

@OTG said:
I keep getting “invalid username type” error. Having trouble adding the username to the code. Can someone please help me with this?

ignore it… and continue…

But I am not getting a shell… ¯_(ツ)_/¯

Got the shell thank you SimVirus for help. My listener command was wrong. It is always something stupid with these boxes… :smiley:

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 41
ETag: W/“29-mT0hiiE62mfFMAIMRMkQ7Q6tVaM”
Date: Tue, 31 Jul 2018 13:24:37 GMT
Connection: close

An error occurred…invalid username type

any one help every time i send the payload i am getting this any advise