Hint for Waldo

17810121319

Comments

  • Could anyone PM me regarding the initial foothold? I am stuck in getting out of "jail". I've tried numerous fuzzers without luck. I've also read the article referenced here quite a bit but I am still unable to get it. Any tips would be MUCH appreciated!

    bluecipher

  • edited September 2018

    This box ate up a good part of my last two days. The initial foothold is simple enough if you know how to use BS. The privesc was a roller-coaster. I have root.txt (hint: check for file capabilities as others have mentioned) but still no shell yet. Crons and log******* seem like dead ends. Spoiler Removed - Arrexel

  • Not a web cat, so struggling with the initial foothold. Playing with BS and parameters, but not getting much traction. I've read the articles mentioned so have a decent understanding of what I'm trying to do. Figuring I am overthinking it. Any tips?

  • Got root!

    You can bypass a little something something by just using a new something something. One of the text editors is MUCH more useful than you think, read the man pages.

    You need to look for something that's actually capable of accessing the target, /DON'T/ waste your time on the decoy, because it's as forcing a rabbit to ride a bicycle. (I tried to get the poor metaphorical rabbit to ride the bicycle for like 4 hours in total instead of actually following the slogan of the website and thinking outside the box.)

    Looking into what all the files in your disposal can do is your friend.
    I learned an amazing rshell bypass technique.
    That's all I'll drop, because I think that I dropped way too much. :D

    Shoutout to @wirepigeon, @Pazanate (in HTB) and @Hrafnskogr.

  • Can someone PM me? I've got a question re: traversal (pre-user)

  • @ccma40 said:
    Can someone PM me? I've got a question re: traversal (pre-user)

    Same.... I can traverse the file structure by proxying the requests but have no idea how to read anything....

  • edited September 2018

    Wrong thread..haha

    Hack The Box

  • @Warlord711 said:

    @sazouki said:
    > @TazWake said:
    > @sazouki said:
    > m****@10.10.10.87: Permission denied (publickey).
    >
    > any hint how to fix this
    >
    >
    >
    >
    >
    > How did you solve this?

    wrong user

    Its quite obvious if you realize where you downloaded the file ;)

    i tried n****y also same error why?

  • Hi, can someone please help me. I escaped the jail and now I am fully stuck. I believe i have checked file capabilities. But i really don't know what to do. Please can someone pm me?

  • @ccma40 said:
    Can someone PM me? I've got a question re: traversal (pre-user)

    Ignore - rooted now. What a ride

  • Rooted, thanks to @Saiyajin with help in privesc.
    It's important to escape the jail and to ask yourself why some commands maybe don't work. If you solve it you need some information that is not common, but if you read this post you will have enough.
    PM if you need some help.

  • Got user. Learned a lot.

  • Finally got the root flag on Waldo. Many thanks to the creator of this box!!!! Really funny box! I learned a lot. 😀 If someone needs a hint, just PM me.

    Ozunu

  • This was the longest time I ever spent on a privesc, which could've been immensely reduced by just googling more. What a shame, thanks to @Ozunu though who pointed me in the right direction on how to proceed after escaping the restrictions.

    nscur0

  • seems like i am able to read directories but not the actual file but using fileRead.php i am not able to abuse path am i on the right direction? HALLPPEE

  • Hi, can someone help me with priv esc? I got the user.txt, but I have no clue where to go. Can't enumerate anything useful. DM would be appreciated.

  • Can anyone help me with PE? Already gotten M user and jailbreak from shell.

    Hack The Box

  • why is waldo so #$%^ SLOW?

  • Someone please help me break out of jail. Thanks!

  • Not able to find user.txt...can't figure out payload instead of "/user.txt"

  • @thePr0fessor said:
    Not able to find user.txt...can't figure out payload instead of "/user.txt"

    Maybe you are not the right user ?

    fasetto

  • edited September 2018

    Can anyone PM me with Waldo - Priv Esc ?

    I have managed to escape the jail, done some enumeration in the interesting folders and files, stumped from there, i'm on Netsec Mattermost under the same handle.

    EDIT: Rooted ... i can offer help to anyone, was really overlooking this one !

    Hack The Box

    CISSP | CISM | CEH | CRISC | OSCP

  • Finally rooted, my hint to all is,

    Initial foothold,
    find out what u can read and try to read some files that are related to the app, then try to figure out what is removed.

    PE,
    This is something that i have not done before but basically to check "capabilities". Read up more at https://packetstorm.foofus.com/papers/attack/exploiting_capabilities_the_dark_side.pdf

    Hope not too much of a spoiler as this is something not so common.

    Really enjoyed this box and also thanks @nomad17 for the hint. :)

    Hack The Box

  • edited September 2018

    Currently stuck in jail and would like to escape :smile: Any help appreciated.
    Edit: nvm. Typical. After ages looking, I found Waldo 10 minutes after posting.

  • Initial foothold,
    find out what u can read and try to read some files that are related to the app, then try to figure out what is removed.

    PE,
    This is something that i have not done before but basically to check "capabilities". Read up more at https://packetstorm.foofus.com/papers/attack/exploiting_capabilities_the_dark_side.pdf

    Hope not too much of a spoiler as this is something not so common.

    Really enjoyed this box and also thanks @nomad17 for the hint. :)

    Definitely the most specific hint on this thread. Thx.

    So have you rooted it, or just got the root.txt?

    I've got the flag but I'd like to actually root it.

  • can someone tell me how to login to ssh
    it just gave me
    Load key "key": invalid format
    and
    Permission denied (publickey).

  • I think it was Lincoln who said that if he had to chop down a tree in 8 hours he would spend the first six sharpening his axe. I should have listened. I finally got user when I went back and did proper reconnaissance after learning what the main vulnerability was. Thanks to all those who gave me hints.

  • What am I missing? Only have N*, and a box that I can't see any way out of. i see the pub key for another user, but obviously that isn't good enough for much.

  • Very nice machine. Once in, it was a little struggle to get further. After the right command it was just looking for the right tool.

    Learned a lot.

    Hack The Box

  • Rooted, what a ride... PM if you need some hints. Learned so much from this box

Sign In to comment.