Hint for Waldo

Managed to get user rather fast. I know my PHP. :slight_smile: Now working on root, think I have ‘the file’ people are talking about. I gotta admit my linux commandline know-how is hitting a bit of a wall. Still on it though!

@blackhood said:

A better finale would’ve made this box epic. There’s so many places that could’ve gone. lol

Indeed, it was a bit “underwhelming”. But still, I ended up with a valuable addition to the enumeration workflow.

Rooted this box. Getting root flag was tough but got it. Cheers!

Spoiler Removed - Arrexel

Would be nice to get a nudge on the privesc via PM

■■■■…
need some help for PE

I can read all the files in the system via RCE. Anyway I cannot find the right way to inject a RCE inverse shell remote. Please PM with a nut

could someone possibly help with whats required for initial foothold - I know what ive got to do and where, how to exploit it but I’m not a php coder - Servers and Networks are more my thing (this will be a usefull learning experience)

Stuck on privesc. I’ve enumerated the usual stuff, any nudges on the right direction?

Can anyone PM me a nudge in the right direction for Privesc? I’m aware of the file that is able to do stuff it really shouldn’t…not sure how though or how to replicate it.

@The5thDomain said:
Can anyone PM me a nudge in the right direction for Privesc? I’m aware of the file that is able to do stuff it really shouldn’t…not sure how though or how to replicate it.

Same here, anybody here who can give me a hint?

Spoiler Removed - egre55

@waspy said:

@Pratik said:
Rooted this box. Getting root flag was tough but got it. Cheers!

in the file we should put a case that read root.txt for us
am i on the right track

Not quite. Would the compiled program be able to read the flag?

@Cli3nt said:

@The5thDomain said:
Can anyone PM me a nudge in the right direction for Privesc? I’m aware of the file that is able to do stuff it really shouldn’t…not sure how though or how to replicate it.

Same here, anybody here who can give me a hint?

I wasted my half of day behind that file nothing worked finally i read the root flag using some other binary

@venki9990 said:
@Cli3nt said:

       @The5thDomain said:
 Can anyone PM me a nudge in the right direction for Privesc? I'm aware of the file that is able to do stuff it really shouldn't...not sure how though or how to replicate it.





  Same here, anybody here who can give me a hint?

I wasted my half of day behind that file nothing worked finally i read the root flag using some other binary

same what a rabbit hole

Any hint for priv ecs? I was thinking I should edit loxxxxxxxx file, but after read the posts, I think i am in a wrong way?

Updae: NVM.

is it possible to get root ?

@seiyathesinx said:
is it possible to get root ?

Yes. Of course it is possible to get root.

@gedsic said:

@waspy said:

@Pratik said:
Rooted this box. Getting root flag was tough but got it. Cheers!

in the file we should put a case that read root.txt for us
am i on the right track

Not quite. Would the compiled program be able to read the flag?

i got root and has no deal with thous files, there is a bin running as root use it to get the lag

@seiyathesinx said:
is it possible to get root ?

yes, but not necessary