Tips from a Newbie to a Newbie…
This was my first box to attempt and have just rooted it over about 3-4 evenings. I have basic linux and very basic coding experience, I only very recently learnt about the idea of pen testing! Here’s how I approached it, hopefully WITHOUT ANY SPOILERS.
I downloaded Kali and read up a few walkthroughs of some of the early boxes to understand how to get started. I used two basic tools to carry out what I think you call enumeration, I just used default settings. I expect everyone has done the same so far. From that point on I didn’t use any hacking tools (mainly because I haven’t yet learn’t about them), i did everything manually.
All the clues I needed were in the website. If I didn’t know what the clue meant, i researched what it might relate to, or wrote it down for later. The clues are there to help after all, not send you on a wild goose chase. I think there are 2 or even 3 separate ways to get user, I only found one, so some of the clues I never used. The programming language involved I had actually never used, but it was very easy to learn the basics. Once I had the code, I knew I needed to compromise it. To understand how it worked, I set up a replica of the code on my machine and learnt how I could attack it. That way, I could see all debug errors, variables etc. I would have never worked it out without doing this. Once I could compromise the code, I googled for code examples to inject (e.g. how to spawn a shell). Again, I tested this on my machine, and then it worked against the box. It was very unelegant, but finally I had a way of getting user.txt.
Once I had some access to the filesystem, there were of course more clues to be found. Because they were only visible with user access, they could only relate to how to get root. Getting root took a lot of frustration, because it involved another programming system I had heard of but never used, and i was getting impatient and not testing attacks locally. I read up on the new system, but in the end I took a copy of the files on the server I found and again replicated everything locally. I finally found the answer, but I could not get the answer to work. Another theory to learn that I was aware of, but had never understood in detail. The reason the answer did not work for me was that I was simply doing it wrong. again, the saviour was replicating the scenario locally, enabling verbose mode on tools (basic tools not hacker tools) so I could see what I was doing wrong. After making a cup of tea (guess my nationality) I sat down and gave it one more go and I was staring at a root shell prompt.
I have since written a program to gain user access with one step, to prove to myself I could do it. Future work is to explore the other exploits that the clues hint to.
I really hope this helps other beginners and that I haven’t given anything away, mainly because the satisfaction of doing it unaided is huge. My approach was extremely inefficient, I’m sure there are tools that could have made my life so much easier (but I wouldn’t have learnt how they worked) but on the way I learnt so much, and that is the reason I am here.
I am now trying “Carrier” but getting nowhere. A cup of tea might help…
p.s. General tip on shell access: don’t forget to enable STDERR somehow or it will drive you up the wall if you are good at typos.