Poison

Hoping someone can give me a nudge in the right direction. I’ve got the secret file and set up something you can see the light at the end of, but I’m confused on how to connect as the right user. The way I’m trying it right now, I get in as the user with normal permissions. I’m not sure if I have the syntax correct, so hoping someone can push me in direction I need to go.

got root finally. Hate this box…

Got root ■■■ this box taught me a lot especially to not overthink things, keep it simple guys and read all the good threads and its hints they are very helpuful. Read the man pages of the tools once you identify the services running on the box. Spoiler Removed - Arrexel

Think about where to use the zip file and how, that’s it.

Got root, feel free to DM for hints.

nvm

@mcruz thanks for the articles, got root

rooted. PM me for hints.

One of the kinda confusing boxes, definitely rabbit holes all around,

PM for subtle hints / explanations

Very interesting and fun box, way easier than it seemed. A little hint for anyone who is still looking for the root flag: once in take a very close look at every running process owned by root and every parameter they use, one will catch your attention because of its nature. If you’re not familiar with this particular process look it up on Google and read its documentation, one particular parameter will answer the question “what the heck is this ‘secret’ file for???”.

Good luck!

Hi
I am still unable to unzip the secret file. Grr. I will keep trying :slight_smile:

GOT IT FINALLY!
GAH this box can really drive you insane if you don’t know what you are doing.
Asked for a couple hints but they didn’t really help because all the hints you need are in this forum, and I already knew what I needed to do from the start.
The hints were really just to verify my sanity. lol
With the articles posted here, you know you are doing the right thing, it boils down to putting the commands together in the right places. I actually used putty to help make sure I was doing it right. and once i googled for the 20th time, i finally executed everything correctly.
I think I spent 4 days doing the right command, just with one major flaw.

Even though i hate everything about the machine, great job, it is a great way to understand security flaws in remote management.

@Naruto985 said:
Hi
I am still unable to unzip the secret file. Grr. I will keep trying :slight_smile:

Don’t overthink it, the solution is much easier than you might think!

hi,
just got root, but without the ssh-tunnel hint i wouldn’t be able to do it.
so i wonder if there are any indications, that root is using the ssh-tunnel, or was it just guessing?
Feel free to pm me :slight_smile:

So, user was flat enough…I do see something very interesting running on this box and i have a fairly good idea of the inner working using ****** over ***** tunnels but fcrackzip is going on a few hours and no dice for the secret.zip file. I thought maybe a bogus extension or something but to short to be a key? Any very gentle nudges?

@Fenrir said:
hi,
just got root, but without the ssh-tunnel hint i wouldn’t be able to do it.
so i wonder if there are any indications, that root is using the ssh-tunnel, or was it just guessing?
Feel free to pm me :slight_smile:

Check the parameters of the service you used to get into root, one in particular will tell you exactly why you had to do what you did.

@n3tl0kr said:
So, user was flat enough…I do see something very interesting running on this box and i have a fairly good idea of the inner working using ****** over ***** tunnels but fcrackzip is going on a few hours and no dice for the secret.zip file. I thought maybe a bogus extension or something but to short to be a key? Any very gentle nudges?

If you have already identified an interesting process you might want to read its man page, you could find something useful in there :slight_smile:

@Baud said:

If you have already identified an interesting process you might want to read its man page, you could find something useful in there :slight_smile:

I’ve already walked 10 miles since this comment but I’m stuck in a new place. After a ridiculous problem, i realized that what I was doing was completely in folly. I extracted contents from said zip file, realized that it was a ********, also realized that the remote host is hosting a process that confirms my suspicion. Now im playing with command line options because while im not returning a login error, im not necessarily returning a login success either.

For some strange reason, last time i was able to download the secret.zip, and now when i scan i dont get that port nor the place where i downloaded the zip file. Even nmap scan with filters related to **c and **h are showing just two ports opened one is ssh and second is http. Its been two days brrr :slight_smile: keep thinking at sleep what went wrong and where

Could anyone PM me to possibly help? I have “connected another way” after owning the user, but only get a blank screen and no way to really interact… i think i’m close but if someone would be willing to PM me for a hint it would be really appreciated. Still trying to learn :slight_smile: