Could anyone PM me regarding the initial foothold? I am stuck in getting out of "jail". I've tried numerous fuzzers without luck. I've also read the article referenced here quite a bit but I am still unable to get it. Any tips would be MUCH appreciated!
This box ate up a good part of my last two days. The initial foothold is simple enough if you know how to use BS. The privesc was a roller-coaster. I have root.txt (hint: check for file capabilities as others have mentioned) but still no shell yet. Crons and log******* seem like dead ends. Spoiler Removed - Arrexel
Not a web cat, so struggling with the initial foothold. Playing with BS and parameters, but not getting much traction. I've read the articles mentioned so have a decent understanding of what I'm trying to do. Figuring I am overthinking it. Any tips?
You can bypass a little something something by just using a new something something. One of the text editors is MUCH more useful than you think, read the man pages.
You need to look for something that's actually capable of accessing the target, /DON'T/ waste your time on the decoy, because it's as forcing a rabbit to ride a bicycle. (I tried to get the poor metaphorical rabbit to ride the bicycle for like 4 hours in total instead of actually following the slogan of the website and thinking outside the box.)
Looking into what all the files in your disposal can do is your friend.
I learned an amazing rshell bypass technique.
That's all I'll drop, because I think that I dropped way too much.
@sazouki said:
> @TazWake said:
> @sazouki said:
> m****@10.10.10.87: Permission denied (publickey).
>
> any hint how to fix this
>
>
>
>
>
> How did you solve this?
wrong user
Its quite obvious if you realize where you downloaded the file
Hi, can someone please help me. I escaped the jail and now I am fully stuck. I believe i have checked file capabilities. But i really don't know what to do. Please can someone pm me?
Rooted, thanks to @Saiyajin with help in privesc.
It's important to escape the jail and to ask yourself why some commands maybe don't work. If you solve it you need some information that is not common, but if you read this post you will have enough.
PM if you need some help.
Finally got the root flag on Waldo. Many thanks to the creator of this box!!!! Really funny box! I learned a lot. 😀 If someone needs a hint, just PM me.
This was the longest time I ever spent on a privesc, which could've been immensely reduced by just googling more. What a shame, thanks to @Ozunu though who pointed me in the right direction on how to proceed after escaping the restrictions.
seems like i am able to read directories but not the actual file but using fileRead.php i am not able to abuse path am i on the right direction? HALLPPEE
I have managed to escape the jail, done some enumeration in the interesting folders and files, stumped from there, i'm on Netsec Mattermost under the same handle.
EDIT: Rooted ... i can offer help to anyone, was really overlooking this one !
I think it was Lincoln who said that if he had to chop down a tree in 8 hours he would spend the first six sharpening his axe. I should have listened. I finally got user when I went back and did proper reconnaissance after learning what the main vulnerability was. Thanks to all those who gave me hints.
What am I missing? Only have N*, and a box that I can't see any way out of. i see the pub key for another user, but obviously that isn't good enough for much.
Comments
Could anyone PM me regarding the initial foothold? I am stuck in getting out of "jail". I've tried numerous fuzzers without luck. I've also read the article referenced here quite a bit but I am still unable to get it. Any tips would be MUCH appreciated!
This box ate up a good part of my last two days. The initial foothold is simple enough if you know how to use BS. The privesc was a roller-coaster. I have root.txt (hint: check for file capabilities as others have mentioned) but still no shell yet. Crons and log******* seem like dead ends. Spoiler Removed - Arrexel
Not a web cat, so struggling with the initial foothold. Playing with BS and parameters, but not getting much traction. I've read the articles mentioned so have a decent understanding of what I'm trying to do. Figuring I am overthinking it. Any tips?
Got root!
You can bypass a little something something by just using a new something something. One of the text editors is MUCH more useful than you think, read the man pages.
You need to look for something that's actually capable of accessing the target, /DON'T/ waste your time on the decoy, because it's as forcing a rabbit to ride a bicycle. (I tried to get the poor metaphorical rabbit to ride the bicycle for like 4 hours in total instead of actually following the slogan of the website and thinking outside the box.)
Looking into what all the files in your disposal can do is your friend.
I learned an amazing rshell bypass technique.
That's all I'll drop, because I think that I dropped way too much.
Shoutout to @wirepigeon, @Pazanate (in HTB) and @Hrafnskogr.
Can someone PM me? I've got a question re: traversal (pre-user)
Same.... I can traverse the file structure by proxying the requests but have no idea how to read anything....
Wrong thread..haha
i tried n****y also same error why?
Hi, can someone please help me. I escaped the jail and now I am fully stuck. I believe i have checked file capabilities. But i really don't know what to do. Please can someone pm me?
Ignore - rooted now. What a ride
Rooted, thanks to @Saiyajin with help in privesc.
It's important to escape the jail and to ask yourself why some commands maybe don't work. If you solve it you need some information that is not common, but if you read this post you will have enough.
PM if you need some help.
Got user. Learned a lot.
Finally got the root flag on Waldo. Many thanks to the creator of this box!!!! Really funny box! I learned a lot. 😀 If someone needs a hint, just PM me.
This was the longest time I ever spent on a privesc, which could've been immensely reduced by just googling more. What a shame, thanks to @Ozunu though who pointed me in the right direction on how to proceed after escaping the restrictions.
seems like i am able to read directories but not the actual file but using fileRead.php i am not able to abuse path am i on the right direction? HALLPPEE
Hi, can someone help me with priv esc? I got the user.txt, but I have no clue where to go. Can't enumerate anything useful. DM would be appreciated.
Can anyone help me with PE? Already gotten M user and jailbreak from shell.
why is waldo so #$%^ SLOW?
Someone please help me break out of jail. Thanks!
Not able to find user.txt...can't figure out payload instead of "/user.txt"
Maybe you are not the right user ?
Can anyone PM me with Waldo - Priv Esc ?
I have managed to escape the jail, done some enumeration in the interesting folders and files, stumped from there, i'm on Netsec Mattermost under the same handle.
EDIT: Rooted ... i can offer help to anyone, was really overlooking this one !
CISSP | CISM | CEH | CRISC | OSCP
Finally rooted, my hint to all is,
Initial foothold,
find out what u can read and try to read some files that are related to the app, then try to figure out what is removed.
PE,
This is something that i have not done before but basically to check "capabilities". Read up more at https://packetstorm.foofus.com/papers/attack/exploiting_capabilities_the_dark_side.pdf
Hope not too much of a spoiler as this is something not so common.
Really enjoyed this box and also thanks @nomad17 for the hint.
Currently stuck in jail and would like to escape
Any help appreciated.
Edit: nvm. Typical. After ages looking, I found Waldo 10 minutes after posting.
Definitely the most specific hint on this thread. Thx.
So have you rooted it, or just got the root.txt?
I've got the flag but I'd like to actually root it.
can someone tell me how to login to ssh
it just gave me
Load key "key": invalid format
and
Permission denied (publickey).
I think it was Lincoln who said that if he had to chop down a tree in 8 hours he would spend the first six sharpening his axe. I should have listened. I finally got user when I went back and did proper reconnaissance after learning what the main vulnerability was. Thanks to all those who gave me hints.
What am I missing? Only have N*, and a box that I can't see any way out of. i see the pub key for another user, but obviously that isn't good enough for much.
Very nice machine. Once in, it was a little struggle to get further. After the right command it was just looking for the right tool.
Learned a lot.
Rooted, what a ride... PM if you need some hints. Learned so much from this box