Carrier

Any hint for obtaining the shell ?

@flexkid You can PM me for that part.

Do you have to use or write a script to get root or is there another way?

Great box. Brush up on networking for priv esc, including the Linux tools commonly used for network administration and troubleshooting.

@Skunkfoot said:
@flexkid You can PM me for that part.

Do you have to use or write a script to get root or is there another way?

There it another way, you don’t have to write or use any kind of script, just the tools already available in the machine.

@veterano said:

@Skunkfoot said:
@flexkid You can PM me for that part.

Do you have to use or write a script to get root or is there another way?

There it another way, you don’t have to write or use any kind of script, just the tools already available in the machine.

Okay I thought so, just wanted to make sure. Thanks.

Need some hints on what to do after identified the b* and the things in iptable.

whoami : root, what should i do search for root.txt ?

@Sidxzx said:
whoami : root, what should i do search for root.txt ?

Negative Ghostrider. You can search all you want, but this box is a little more complex than just getting a reverse shell. You’re going to have to do some more enumeration and a lot of research on the services and their vulnerabilities

My advice: test it locally. At this point you should have an idea of what’s happening. Make sure you encode it back! :slight_smile:

I wonder if my way of rooting it was the intended one. I tried to replicate a ‘famous hack’ demonstrated a while ago. But then I figured - why pass on something interesting that you already have - better deal with it yourself!

My advice is to enumerate the whole network carefully - you can use bash one-liners as nmap replacement.

@kekra said:
I wonder if my way of rooting it was the intended one. I tried to replicate a ‘famous hack’ demonstrated a while ago. But then I figured - why pass on something interesting that you already have - better deal with it yourself!

I’d be interested to hear of this alternate method if you’d like to discuss.

@Skunkfoot said:

I’d be interested to hear of this alternate method if you’d like to discuss.

I am also interested - it’s not really a totally different method, more like ‘half of the famous hack’ but ‘acting more actively’. Perhaps I’m wrong and it was the intended method…

I’m pretty stumped with this one. I got user, and was able to scan from that box; I think I understand the attack I need to pull off, but I can’t seem to get it to work. Anyone willing to just help me debug what I’m doing via PM?

EDIT: I managed to pop the root flag, although I’m not 100% sure the way I did it was how you were supposed to do it (though it was close). This box really needs to be rated higher than it is on difficulty, but I loved the attack.

already login in the website. Problem now is where to go… some hint would be good…
BTW: reading the Tickets, do i need to check on those IP?

After logging into the app successfully, I am now struggling with RCE. I believe I am in the right page. Appreciate some hints as I think Nikto gave a false positive of a vulnerability.

You don’t need Nikto to get a shell. If you believe it’s a right page just tried different techniques to inject the code. If nothing still works then try the same but encode the payload this time.

So i have the Serial Number… What do i do… im clueless…Please DM

Finally i logged in to the webapp now what?

@LordeDestro said:
Finally i logged in to the webapp now what?

Look at the options you have. Play around with them and see if there are any values that you can mess with.

i got s******ta.**t file looks like root.txt – rabbit holes ? :anguished:
and now stuck, can anyone help to shed some lights ?

EDIT: np, got it :slight_smile:
thanks to @snowscan for creating this box!