Frolic

@banteng999 said:
if you enumerate more, you would found some cred, but you will be disapointed when succed to login, only weird character founded
found some files, but I cannot log in with them … stuck >: (

I’m past the weird chars stage… but ■■■■ this box feels more like a CTF challenge so far :frowning:

@LoneW0lf said:
I’m past the weird chars stage… but ■■■■ this box feels more like a CTF challenge so far :frowning:

That’s because it is…

@blobbo said:

@LoneW0lf said:
I’m past the weird chars stage… but ■■■■ this box feels more like a CTF challenge so far :frowning:

That’s because it is…

what?

I rooted Jerry then started this lol what a difference. I also got creds from http enum and didn’t really get anywhere. Same problems mentioned above. I’m guessing you have to use them with smb enum? I got somewhere with that but very little progress and went round in circles. Hours past, im taking a break for now. Welcome any hints. Brute force ssh?

@LoneW0lf said:
I’m past the weird chars stage… but ■■■■ this box feels more like a CTF challenge so far :frowning:

Can you please pm a hint for the weird characters decoding?

hey guys !
im stuck at after the login is the .!?!! useful or it’s just a troll ?

@flokii said:
hey guys !
im stuck at after the login is the .!?!! useful or it’s just a troll ?

Its definately useful… at least I think it is??
There is a method to turn it into something else, read the previous posts for some good hints. Think esoterically.

But, once you turn it into something more usable, it almost looks like a key of some sort, but its not…

any idea with what to do with the decode …!? string

@jreeves said:

@flokii said:
hey guys !
im stuck at after the login is the .!?!! useful or it’s just a troll ?

Its definately useful… at least I think it is??
There is a method to turn it into something else, read the previous posts for some good hints. Think esoterically.

But, once you turn it into something more usable, it almost looks like a key of some sort, but its not…

any idea with what to do with the decode …!? string

Same here, can see some informations when trying to decode (seems to be filename) but cannot get something relevant.

Any hints ?

@banteng999 said:

@blobbo said:

@LoneW0lf said:
I’m past the weird chars stage… but ■■■■ this box feels more like a CTF challenge so far :frowning:

That’s because it is…

what?

This box is a pure CTF challenge IMHO

chat for hints and discussion

the creds you find from 2 different files… are they supposed to work anywhere?
edit: ok found some other creds and interesting stuff after all

Very CTF-esque machine. Learned something new during escalation though! Thanks for that

I have shell, more than the privesc :slight_smile:

so is r*p the key to privesc?

@jreeves said:
so is r*p the key to privesc?

Yes ! :cold_sweat:

@Seepckoa said:

@jreeves said:
so is r*p the key to privesc?

Yes ! :cold_sweat:

I see you can case a overflow by throwing in an argument longer than (redacted) digits and cause eip to become a memory address of you choice… i guess you could use this to write a custom program that just waits in memory trying to read root.txt and then cause r*p to execute that code… but is this really the way to do it or am i overthinking this

this is what im going to attempt, and dont get me wrong, it sounds like fun but is a 20pt root really as complicated as this?

Edit: nvm, im overcomplicating it. this is a path and im making it too tough

@jreeves said:

@Seepckoa said:

@jreeves said:
so is r*p the key to privesc?

Yes ! :cold_sweat:

I see you can case a overflow by throwing in an argument longer than (redacted) digits and cause eip to become a memory address of you choice… i guess you could use this to write a custom program that just waits in memory trying to read root.txt and then cause r*p to execute that code… but is this really the way to do it or am i overthinking this

this is what im going to attempt, and dont get me wrong, it sounds like fun but is a 20pt root really as complicated as this?

Edit: nvm, im overcomplicating it. this is a path and im making it too tough

Me personally I try to inject a shellcode in the program I do not know if I’m in the right track.

Rooted ! :slight_smile:

@Seepckoa said:

@jreeves said:

@Seepckoa said:

@jreeves said:
so is r*p the key to privesc?

Yes ! :cold_sweat:

I see you can case a overflow by throwing in an argument longer than (redacted) digits and cause eip to become a memory address of you choice… i guess you could use this to write a custom program that just waits in memory trying to read root.txt and then cause r*p to execute that code… but is this really the way to do it or am i overthinking this

this is what im going to attempt, and dont get me wrong, it sounds like fun but is a 20pt root really as complicated as this?

Edit: nvm, im overcomplicating it. this is a path and im making it too tough

Me personally I try to inject a shellcode in the program I do not know if I’m in the right track.

Im guessing that worked for you? I ended up exploiting a stack overflow.
RIP rop