Hint for Waldo

PM me if you need some help on this.

@Calvo said:
Any tips for user? I am playing with BS but i can’t seem to read anything worth looking at and pretty stuck atm. pms are welcome

Take a look how lists work.

rooted, a good enumeration is the key in all steps towards root

feel free to PM for hints

Finally got it rooted - very simple once you know what you are doing. Look into the commands you have available is my best piece of advice. If anyone would like any hints then drop me a PM.

Unmasked Waldo’s root! Thnx for the help!

I got the root flag, but can’t for the life of me find a way to escalate to a root shell. I was able to dump shadow, but I feel like there must be a better way then just bruteforcing some passwords. Any hints on root shell? I know I’m capable, I’ve tried taking a lot of different tacks, but nothing I read seems to be what I need.

@jfredett said:
I got the root flag, but can’t for the life of me find a way to escalate to a root shell. I was able to dump shadow, but I feel like there must be a better way then just bruteforcing some passwords. Any hints on root shell? I know I’m capable, I’ve tried taking a lot of different tacks, but nothing I read seems to be what I need.

From what I’ve seen so far, no. Unless there’s some file you can read that would give you access, but /root/ doesn’t have an authorized_keys file.

Finally got the root.txt, thanks to the continous support from @LordRNA @atxxx .
Tips for everyone,

  1. Hits haven in this forum is enough for priv esc but limited on first step.
  2. There will be four stages that you have to do, capabilities is at the last.
  3. BurpSuite will be your best friend for the first stage, find out on the LFI and learn more about it and it shall be enough to get you through.
  4. Stop resetting the server as other people may be half way doing something, resetting the server will not get you root.txt

Can read the different PHP files but struggling to read anything interesting :frowning:

Hii i got the ssh keys of n****y but i am not able to format it correctly, please can anyone help to format those both keys. :frowning: i am so confused HOW do i format because googling wasn’t helpful for me

@CrKMinD said:
Hii i got the ssh keys of n****y but i am not able to format it correctly, please can anyone help to format those both keys. :frowning: i am so confused HOW do i format because googling wasn’t helpful for me

are you sure you got the right key?

@Jacker31 said:

@CrKMinD said:
Hii i got the ssh keys of n****y but i am not able to format it correctly, please can anyone help to format those both keys. :frowning: i am so confused HOW do i format because googling wasn’t helpful for me

are you sure you got the right key?

yes sir, its m**r i fount it on /home/n****y/.h/.mr (is it correct) thanks for reply

EDIT:GOT USER !!! feel free to pm for user trying root

@CrKMinD said:

@Jacker31 said:

@CrKMinD said:
Hii i got the ssh keys of n****y but i am not able to format it correctly, please can anyone help to format those both keys. :frowning: i am so confused HOW do i format because googling wasn’t helpful for me

are you sure you got the right key?

yes sir, its m**r i fount it on /home/n****y/.h/.mr (is it correct) thanks for reply

the key is in correct format and it has the same access to other accounts as well. Furthermore, if you got the key from php LFI, then you will need to fix the formatting. Fewof the members in this forum has already posted ways to fix the formatting. You will need them to connect to no****.

Rooted this evening. User was harder than system IMO but don’t let this fool you… If you want to get the root flag you’ve gotta do some reading and digging and experimenting. Don’t know how to get root shell yet but I plan on trying again.

Lokking for assistance with the final stages of this. I have found waldo, looking for root. Accessed as m*****r and found files that are capable of getting the root.txt but I cannot for the life of me work out how. I have compiled code and using a script that I think should work but failing. help appreciated.

Edited: spent the whole day down a rabbit hole. I feel so stupid now,blinded by the over complicated techy approach when simple enumeration of the system would have taken less than a minute to identify.

Rooted. Learnt a lot, this was definitely out of my comfort zone, thanks to the creator for the great lesson ! My hints for who is struggling with this:

° use burp to analize everything that happens in the web app, try to play with the parameters under your control and see what happens. if you get stuck at this point, you can take inspiration from here:

° once you can bypass the filters, look around, you’ll find something a little bit strange in one of the usual directories we always look at in unix systems…

° use what you found with “the service”, but don’t throw it away after that ! It will serve you again soon…

° once in the jail, you’ll have to find a way to get out…there’s not much I can say without spoiling, but you can check a very detailed guide, one of the first things you’ll see if you’ll google this technique. Be sure to try EVERY possibility, even those which shouldn’t work…

° now the final part…I’ve seen a lot talking about capabilities here…It’s not wrong, you’ll need to find the tool with the right capabilities, but don’t overthink too much this step ! What you can find here

https://packetstorm.foofus.com/papers/attack/exploiting_capabilities_the_dark_side.pdf

is far more complicated of what you really need ! Keep it very very simple in this step, and do basic enumeration. Sometimes the opposite of what we desire, is still awesome for us !

Hope this is not spoiling, happy hacking !

big shout out to @rejoinder for pointing me in the right direction :+1

Rooted! This was my first Linux box- a very fun challenge. I was a little disappointed that I spent so much time reading that C source, when the final escalation turned out to be so simple.

hey, I search for root, I am on m*****r ssh, I bypass restriction, and I think I need some hint for the priv-esc. PM possible ?
EDIT : rooted but just read the flag, no shell

Root! Root!