Dev0ops hints

Need some nudge about priv esc. PM

@HeiGou said:
Can anyone help with the XML, I have uploaded a normal XML file, when I try and send my shiny new malicious xml to the target I get no error but no shell.

not sure if any get the shell like this, enumerate more to find the way to grab something which can give you bunch of something

Rooted. Get powerful when using Time stone and Reality stone lol

after getting the user flag , i got root in less than 3 minuts without using any tool or complexe commande ! is it just like that ? or i did miss somting ? fot those who rooted the box i would like to verify if i got it the way the maker wanted me to get it ^^

Hi, can someone please help me with root? I’ve looked at history but i really don’t know what to do…

nvm, got root!

get initial foot step, can anyone pm me about the format of that payload, really confused why needed add the additional except that three

Really nice box… PM me for hints

Can i PM someone who rooted the box? I’ve got user and know how to get to root. Need a nudge on how to get the format right.

i know how to upload but don’t know how to progress from there, pm please with a hint\direction…

I’m stuck on root. I see where the reference points your too and I’m stuck! Can I get a nudge? Thanks.

I know what is running in background and i know code for that.

UPLOAD_FOLDER = ‘.’
ALLOWED_EXTENSIONS = set([‘xml’])
app = Flask(name)
app.config[‘UPLOAD_FOLDER’] = UPLOAD_FOLDER

def allowed_file(filename):
return ‘.’ in filename and
filename.rsplit(‘.’, 1)[1].lower() in ALLOWED_EXTENSIONS

But every single file i try i get Internal Server Error

pm me if u need help

Got user and shell, stuck on privesc. Looked back, changed some source, grabbed debug console, dropped rev shell - no luck escalating. Anyone want to drop a pointer in PM would be appreciated.

Just rooted! Quite fun… For those who are trying to root, check what packages/services are installed on that system which allows to ‘travel’ in time. Think about it maybe like kind of backup or similar solution. Find it, and then find what you can take from there.

I just didn’t understand how it got there - is it a real life scenario or it is applicable only on particular/rare cases?
Thanks to @lokori for creating such a good box

HI everyone, i enumerate then found the entry point and exploit it to read arbitrary files on the system. However even if i found hat a python package used is vulnerable (related to rick and morty) i definetively stuck with internal error when i try to get a reverse shell. Someone could help me ?

If anyone can help me with priv Esc on this box it would be nice. I think I have an idea but dont know how to look at the past.

Back from holidays!! Priv escalation was pending, and now… I got it. Before the holidays I was stuck, but after sun and beach it seems my view has become clear again. At this time I saw how to get root at first glance
Nice box @lokori , thank you

@ActivateD said:
If anyone can help me with priv Esc on this box it would be nice. I think I have an idea but dont know how to look at the past.

You are so close…
Just Google it, you will figure out…

Hint: (If it’s a spoiler, please remove it)
“Developers sometimes don’t like what they have done, and they make changes…”

@Hide0 said:
I know what is running in background and i know code for that.

UPLOAD_FOLDER = ‘.’
ALLOWED_EXTENSIONS = set([‘xml’])
app = Flask(name)
app.config[‘UPLOAD_FOLDER’] = UPLOAD_FOLDER

def allowed_file(filename):
return ‘.’ in filename and
filename.rsplit(‘.’, 1)[1].lower() in ALLOWED_EXTENSIONS

But every single file i try i get Internal Server Error

So you know the vulnerability type, and maybe you know the file structure to provide.
Why don’t you try to follow the file structure rule?
Maybe then you can search in OWASP this kind of vulnerability and use it with the needed structure.