Hint for Waldo

is it possible to get root ?

@seiyathesinx said:
is it possible to get root ?

Yes. Of course it is possible to get root.

@gedsic said:

@waspy said:

@Pratik said:
Rooted this box. Getting root flag was tough but got it. Cheers!

in the file we should put a case that read root.txt for us
am i on the right track

Not quite. Would the compiled program be able to read the flag?

i got root and has no deal with thous files, there is a bin running as root use it to get the lag

@seiyathesinx said:
is it possible to get root ?

yes, but not necessary

What do you guys mean by m****** user? What have I missed? Like someone said before there’s nothing in passwd, I’m in as n***** user at the moment.

@hattonsec said:
What do you guys mean by m****** user? What have I missed? Like someone said before there’s nothing in passwd, I’m in as n***** user at the moment.

Same as you. Not understanding that m****** user.

Spoiler Removed - Arrexel

Finally got root, the vm is epic except for the first step for privesc (the so mentioned ssh with user m******) which I think is a way too long shot to even think about it (I was so paranoid that I just tried it out of desperation).
So to give a hint about it, just do normal enumeration and think about what looks weird about it all, then try to guess (and prove) what’s going on and guess again how you would be able to escape with all the information you have, don’t spend time building other stuff or doing crazy ■■■■, you have it all in front of you (just need a breakthrough).
Once you have escaped, you still have some fun ahead :smiley:

Still struggling with priv esc…Can someone hint to me whether or not res*********.sh has anything to do with priv esc?

Is anyone awake that wouldn’t mind working with me to nudge root? I’ve gone back and forth and I know im missing something silly…need to bounce ideas off of someone!

Thanks!

I would love some advice on the initial step. I have found some interesting files and can read those but no idea how to proceed further

For the love of all hacking STOP RESSETING THE Fing box. ■■■ enum a little.

Can anybody offer a gentle push in the initial steps. Have enumerated the directory that the page is located, have found code for several pages, but not managed anything further. Thanks

@richeze said:
Can anybody offer a gentle push in the initial steps. Have enumerated the directory that the page is located, have found code for several pages, but not managed anything further. Thanks

Same here. Also suspected that a proxy like BS must be the key. However made almost no efforts. For some reason cannot make the foothold. PM?

@hopihallido said:

@richeze said:
Can anybody offer a gentle push in the initial steps. Have enumerated the directory that the page is located, have found code for several pages, but not managed anything further. Thanks

Same here. Also suspected that a proxy like BS must be the key. However made almost no efforts. For some reason cannot make the foothold. PM?

Feel free to include me as well - im at the same spot and have found some source code/files.

Anyone able to drop me a PM with a hint on user, I am able to read files etc… but not sure what to do next

I definitly need help on privesc, you can catch me on mattermost or send me a PM. I feel like i can already smell it but dont get it yet.

fyi… waldo is in the bottom left hand corner of the background if anyone is wondering. Ok back to trying to get user!

Got root - nice machine and definitely worth the time - learned something “new” to look into while doing enumeration. (Even if its 10+ years old)

this one still has me stumped- Im using burp, zap - its clearly a traversal thats required for user. have googled php , php exploits and nothing seems to return anything. Either i’m missing something completly or it because the box keeps getting reset and I belive its hammered with a brute force at times