Stratosphere

Ok, ■■■, this box was a hassle. It took me a while to get foothold, but its very easy to do, especially with some tips here.
The hardest part for me was priv esc, until I just sat there and looked at my enumerated data.
KEEP YOUR EYES OPEN. The priv esc to get root is right there in front of you.

Trying to get a foothold. I see what ‘actions’ i have to take just not sure how to take them. any exploits ive tried dont seem to be working. can anyone give me a nudge in the right direction?

could someone can help me with the commands used to connect to that service as I don’t even have a tty I don’t know how will i connect to it. The commands which i am using to list something always giving me an error invalid option

Edit: I am able to list databases but got nothing … any help?

Can anyone DM for a nudge on getting user?

got root thanks

Is there anyone in here got root.txt in root shell? i’ve got root shell before the .py file is run but now i try again it’s not work. I think it has more than one way to rooted this machine. Is there any problem here, can we PM to discuss about it?

[Update 1]
OK, it has 2 way to got root.txt at least, the 1st one is got root shell and got root.txt, the 2nd is some trick with a module. I did the 1st one in the 1st time but now it’s not work and i think it’s unintended way, i’ve just did the 2nd one to got root.txt again. Is there anyone rooted this machine to happy to discuss the idea?
[Update 2]
Ahhh, i think i’ve understood all the thing. Pri esc is cool and it has only a way to got it without solve the hashes. Thanks the author. If anyone need hint, feel free to PM and google is king.

P/S: Some people who got root this machine should reset or delete all the file that they’ve created.

Woo that was a great box all around. Priv esc is extremely satisfying, props to @cr4nk for helping out! I’m open for a nudge if anyone’s having trouble with priv esc or user.

OK, after 4 days (and waking up in the middle of the night with an answer which was correct) I finally got root. Getting root is easy if you know where to look. I did a huge facepalm when I got it.

This is my hint for all who are starting with this machine:

In order to find the right entrance you need to knock all the possible doors, not only the obvious ones. Then use a famous exploit and you’ll be in. Then just follow the footprints all around :wink:

I’ve been with this machine for 1 week, and I do not get the root, nor the user. I have access to the machine with a user without permissions, and a shell that allows only one line per command. I find it impossible to do a reverse shell, and the credentials I find do not work with any service. I do not know what else I could look at, any suggestions, please? PM :frowning:

@x4t4n4x said:
I’ve been with this machine for 1 week, and I do not get the root, nor the user. I have access to the machine with a user without permissions, and a shell that allows only one line per command. I find it impossible to do a reverse shell, and the credentials I find do not work with any service. I do not know what else I could look at, any suggestions, please? PM :frowning:

One of these credentials is not that useless :wink:

@pcolomes said:

@x4t4n4x said:
I’ve been with this machine for 1 week, and I do not get the root, nor the user. I have access to the machine with a user without permissions, and a shell that allows only one line per command. I find it impossible to do a reverse shell, and the credentials I find do not work with any service. I do not know what else I could look at, any suggestions, please? PM :frowning:

One of these credentials is not that useless :wink:

I have tried the passwords with 3 services and in 3 different urls. It does not work. :, (

Okay guys i have an entry point but the register button doesnt work, any hint, what do i do next?

hmmmm

can someone help me I have access to the tomcat-users.xml file but cant login

@trounce1 said:
can someone help me I have access to the tomcat-users.xml file but cant login

Beware of the rabbits and their holes…

Hello everybody !
I got a RCE but i can’t find the first flag (“user.txt”). Any tips ?

@Kalki maybe your RCE is with something running without privileges to that user file

i don’t find the file. It must be in /home/“user” ?

I could use a nudge. I have several creds from enumerating and know who the user is not the password yet though. I have been trying to use the creds against the running service, but through RCE I get access denied and timeouts from trying to run it on my machine. An article or anything would be great.

Rooted if you need help PM me.