Hint for Waldo

@moony8272 said:
Hi
Please could someone give me some pointers to get the initial foothold. I can see file contents and folders. But seem to restricted to a certain folder.
Thanks

Look at the files you can see, Read the code and try to discover how they work.

Just out of curiosity, I was able to log in and do some scanning, now when I want to sing this song from Queen, I am unable to do it. Any usable hints or directions without spoilers on this one. :slight_smile:

This one was quite funny, I was banging my head and then something obvious came. This is something I completely overlooked. Great machine but a bit annoying.

Wow what a box! As others have said, learned loads on this about something I’d never heard of.

Thanks to @mcruz @bowlslaw @grepthis and @nomad17 who gave me hints along the way and pulled me out of many a rabbit hole.

If anyone wants a spoiler-free nudge feel free to PM me.

Hi,

I think that i am close enough for the privesc but after studying the appropriate files and trying too many things i think i am stuck. If anyone wants to give me a hint or to tell me if i am close enough, please PM me. Thanks!

@amshusky18 said:

@chrisbensch said:
Ok, able to read the php files in var www html. Just can’t seem to figure out how to abuse the path. I’ve been looking at the list.js functions and also inside the fileRead.php. A nudge?

@mbie said:
Looking for a privesc hint, currently stuck. Can’t understand how that versioned file can read with root permissions while the other file can’t. Any hints?

You might wanna check permissions or capabilities of that file… You’ll know what to do once you figure it out…

This was the one that did it for me. And now reading back all the other hints; can’t believe how incapable I was in finding the right command.

@STY said:

@amshusky18 said:

@chrisbensch said:
Ok, able to read the php files in var www html. Just can’t seem to figure out how to abuse the path. I’ve been looking at the list.js functions and also inside the fileRead.php. A nudge?

@mbie said:
Looking for a privesc hint, currently stuck. Can’t understand how that versioned file can read with root permissions while the other file can’t. Any hints?

You might wanna check permissions or capabilities of that file… You’ll know what to do once you figure it out…

This was the one that did it for me. And now reading back all the other hints; can’t believe how incapable I was in finding the right command.

Glad it helped…

Need help. anyone can pm?

pm me if anyone need help

Thank you for the opportunity to learn about something during priv esc. That’s actually really cool and I might play with it more in the real world. Indeed, pivoting to the M user did feel like a bit of a stretch.

I’m glad I searched for other files before spending time and investigating the things that I already found…

I learned a lot from this box. Especially due to all the wrong turns I took! :slight_smile:

load key invalid format solution??? or m i doing something rong??

@muditjais said:
load key invalid format solution??? or m i doing something rong??

Yeah, go over a valid private key (some examples online) and see what’s wrong with yours

@drmz said:

@muditjais said:
load key invalid format solution??? or m i doing something rong??

Yeah, go over a valid private key (some examples online) and see what’s wrong with yours

yeaaa got user up for root.txt

I’d appreciate it if someone could PM with a hint for the foothold, I can browse the file system fine but I must be missing what I’m supposed to be looking for…

edit: Nevermind rebooted the box and what I needed was there

Got root, I am wondering is there another way to get the flag using another version of l****m binary, feel free I am here to talk about!!

Finally got root! It was a journey indeed. You need to know what you are capable of :wink:

a little question, maybe I am doing something wrong:

got user, I would open a meterpreter session, and I have the key, but from msf I can only open a basic shell with auxiliary/scanner/ssh/ssh_login_pubkey:

Active sessions

Id Name Type Information Connection


2 basic linux SSH xxxxxxxx (10.10.10.87:22) 10.10.xx.xx:41023 → 10.10.10.87:22 (10.10.10.87)

When I try to upgrade to meterpreter (sessions -u 2), the result is:
[*] Executing ‘post/multi/manage/shell_to_meterpreter’ on session(s): [2]

[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 2
[-] Shells on the target platform, linux, cannot be upgraded to Meterpreter at this time.

Always done it, but this time is not working.
Have u idea of what it’s going on?

Hi
Can anyone one give me some pointers for privilege escalation?
Thanks

I’ve been able to “enumerate” in the sense that I know HOW to find files that I need to move forward. The problem I’m having is how to GET or READ those files. Any tips are appreciated!