Hint for Waldo

Can someone PM me with ahint for root???

Just rooted!!! didnt understand the process much. anyone available in PM to discuss it?

rooted pm me

logM****** uses strcpy which if i remember right is prone to buff overflow… hot or cold? i dont know much about how to execute a buff overflow but ill look into it

can someone pm me about the priv esc?

bit lost on getting user access on this. Got a key and filtered out the bad characters and have a valid key but it doesn’t work.
Pretty stuck now :frowning:

@Meatex said:
bit lost on getting user access on this. Got a key and filtered out the bad characters and have a valid key but it doesn’t work.
Pretty stuck now :frowning:

If your sure key is valid, what other parameters could be changed?

Ok, able to read the php files in var www html. Just can’t seem to figure out how to abuse the path. I’ve been looking at the list.js functions and also inside the fileRead.php. A nudge?

@ReneW said:

@Meatex said:
bit lost on getting user access on this. Got a key and filtered out the bad characters and have a valid key but it doesn’t work.
Pretty stuck now :frowning:

If your sure key is valid, what other parameters could be changed?

Key said valid but using the link in earlier in this thread to clean it up and using autoreplace must have introduced a typo.
Manually cleaning up the key file did the trick

Looking for a privesc hint, currently stuck. Can’t understand how that versioned file can read with root permissions while the other file can’t. Any hints?

@chrisbensch said:
Ok, able to read the php files in var www html. Just can’t seem to figure out how to abuse the path. I’ve been looking at the list.js functions and also inside the fileRead.php. A nudge?

@mbie said:
Looking for a privesc hint, currently stuck. Can’t understand how that versioned file can read with root permissions while the other file can’t. Any hints?

You might wanna check permissions or capabilities of that file… You’ll know what to do once you figure it out…

Finally i got root, and i knew a new command with this box :smiley:

thanks mr. mcruz :slight_smile:

@takuma said:
Finally i got root, and i knew a new command with this box :smiley:

thanks mr. mcruz :slight_smile:

You are welcome, you guys can PM me whenever you want if needs help.

If you are stuck at the enumeration and you can only see “html” and “localhost” Spoiler Removed - Arrexel so it’s breakable, I didn’t use weird characters like %2e etc… It’s really easy ! Don’t think too much :stuck_out_tongue: Hope I helped someone

Could someone let me know if a certain file in a folder that had to be accessed by “pushing” is whats needed for privesc or is part of the solution ?

any body can pm for priv esc am very stuck and for a long time

WOW… getting root was straightforward as long as you don’t get caught pwning with horse blinders on. Great box!

Also, there is enough hints on here to figure it out with enough effort.

@JeanMichel said:
If you are stuck at the enumeration and you can only see “html” and “localhost”, imagine that the filter only delete “…/” of your request, but not the total string ^^, so it’s breakable, I didn’t use weird characters like %2e etc… It’s really easy ! Don’t think too much :stuck_out_tongue: Hope I helped someone

THANK YOU

Enjoyed this machine… Thanks to those who gave some great hints… Learned some new linux commands on this machine and some other techniques…

For those stuck on initial foothold: There are a couple of posts here, some with articles, that will help you out a lot!

For those stuck on the priv esc and steps before that, the key is research to what you have “access” to for the first part and then what can help you and you have access to to get what you need…

ARRRRG, back here again. I’m able to see the user.txt file, however there is a filter not allowing me to read it… how can I bypass it? or do something else? Am I going the wrong direction? PM me :slight_smile: