Hint for Waldo

I learned what i am capable of. Though, need any educational hints. Stuck here.

edit: got root. For priv esc part. You really need to know what you are capable of.
I just reached root flag. Can anyone pm me about how to get root shell ?

Can anyone PM me to give me a nudge on how to escape the jail? I’ve got the user flag already and enumerated the environment I’m in (n****** user), but I’m not seeing a way to escape.

Could anyone PM me regarding the initial foothold? I am stuck in getting out of “jail”. I’ve tried numerous fuzzers without luck. I’ve also read the article referenced here quite a bit but I am still unable to get it. Any tips would be MUCH appreciated!

This box ate up a good part of my last two days. The initial foothold is simple enough if you know how to use BS. The privesc was a roller-coaster. I have root.txt (hint: check for file capabilities as others have mentioned) but still no shell yet. Crons and log******* seem like dead ends. Spoiler Removed - Arrexel

Not a web cat, so struggling with the initial foothold. Playing with BS and parameters, but not getting much traction. I’ve read the articles mentioned so have a decent understanding of what I’m trying to do. Figuring I am overthinking it. Any tips?

Got root!

You can bypass a little something something by just using a new something something. One of the text editors is MUCH more useful than you think, read the man pages.

You need to look for something that’s actually capable of accessing the target, /DON’T/ waste your time on the decoy, because it’s as forcing a rabbit to ride a bicycle. (I tried to get the poor metaphorical rabbit to ride the bicycle for like 4 hours in total instead of actually following the slogan of the website and thinking outside the box.)

Looking into what all the files in your disposal can do is your friend.
I learned an amazing rshell bypass technique.
That’s all I’ll drop, because I think that I dropped way too much. :smiley:

Shoutout to @wirepigeon, @Pazanate (in HTB) and @Hrafnskogr.

Can someone PM me? I’ve got a question re: traversal (pre-user)

@ccma40 said:
Can someone PM me? I’ve got a question re: traversal (pre-user)

Same… I can traverse the file structure by proxying the requests but have no idea how to read anything…

Wrong thread…haha

@Warlord711 said:

@sazouki said:

@TazWake said:
@sazouki said:
m****@10.10.10.87: Permission denied (publickey).

  any hint how to fix this

How did you solve this?

wrong user

Its quite obvious if you realize where you downloaded the file :wink:

i tried n****y also same error why?

Hi, can someone please help me. I escaped the jail and now I am fully stuck. I believe i have checked file capabilities. But i really don’t know what to do. Please can someone pm me?

@ccma40 said:
Can someone PM me? I’ve got a question re: traversal (pre-user)

Ignore - rooted now. What a ride

Rooted, thanks to @Saiyajin with help in privesc.
It’s important to escape the jail and to ask yourself why some commands maybe don’t work. If you solve it you need some information that is not common, but if you read this post you will have enough.
PM if you need some help.

Got user. Learned a lot.

Finally got the root flag on Waldo. Many thanks to the creator of this box!!! Really funny box! I learned a lot. ? If someone needs a hint, just PM me.

This was the longest time I ever spent on a privesc, which could’ve been immensely reduced by just googling more. What a shame, thanks to @Ozunu though who pointed me in the right direction on how to proceed after escaping the restrictions.

seems like i am able to read directories but not the actual file but using fileRead.php i am not able to abuse path am i on the right direction? HALLPPEE

Hi, can someone help me with priv esc? I got the user.txt, but I have no clue where to go. Can’t enumerate anything useful. DM would be appreciated.

Can anyone help me with PE? Already gotten M user and jailbreak from shell.

why is waldo so #$%^ SLOW?