Zipper

Hmmm…you have to go through the manager to get to the agent…right

Hardest part of this one was figuring out wth was going on at first. Also the hardest part was getting a stable user shell (maybe not strictly needed but makes life so much easier). I got the root flag before the user flag. It will be interesting to see the writeups.

finally managed to get user, what a ride :astonished:

Really dude?

Well I’m unsure if other boxes are like this one, but this one was maybe slightly too “complex” to put on. This is my 2nd box and throughout the past 2 days it has constantly been resetting, I doubt anyone can properly work on it. There are a ton of modifications by others that just keep messing with what other people have put on.

Well, I’m still being stuck on doing the privesc as I have to constantly repeat the steps to get the shell back to me.

@Veki said:
Well I’m unsure if other boxes are like this one, but this one was maybe slightly too “complex” to put on. This is my 2nd box and throughout the past 2 days it has constantly been resetting, I doubt anyone can properly work on it. There are a ton of modifications by others that just keep messing with what other people have put on.

Well, I’m still being stuck on doing the privesc as I have to constantly repeat the steps to get the shell back to me.

If you’re in the right place as the right user, grab the SSH key and SSH in :slight_smile:

I have got the shell but not at right place… I have been enumerating but not getting any thing which could point me to right direction. Any hints plzz?

Someone last night was managing to break out of containers onto the host when connecting with a script found in searchsploit. Could you hit me up? I’d really like to know how you were doing it.

i have a rev shell on zipper but dont know what to do next. found bac**p.s* and i am trying to do something with it but i got no luck. could somone pm me or help me??

There is a editor called e* which was running as r***. Why am i not able to get root directly?

Rooted this really interesting box! PM if you need :slight_smile:

I found the hardest part was guessing the username/password combination for the service - once you’ve looked at the available information from the guest account, it pays to think simple. Clearly the user is not very security conscious at all :wink:

After that, I found everything very straightforward. Hints:

  • read the documentation for the service, there’s a certain item there that will help you get RCE (it helps if you know how monitoring systems with agents work);
  • getting a stable shell can require a bit of fiddling - think about what happens if your command runs again;
  • getting from one user to another is easy - remember, they’re not very security conscious and you might find some things to help you become them;
  • there are some simple techniques that help you find out what an unknown binary does;
  • there is a very common security vulnerability in executables that run other executables.

Creating your own username and password instead of the current ones is probably the hardest thing in this box.

Maybe the first RCE can be challenging but user is straight forward from there and root was FUN.

EDIT: someone was claiming that root is possible without getting user. I would love to learn how can that be accomplished if anyone was able to really do this.

Got root…
It’s relatively easier than user :+1:
I liked the way it was done.

So I found a service and I was able to get a list of valid endpoints in such a service. However, every time I try to access those endpoints, I get a message saying error connecting to database.

Am I in the right path? I can’t find anything else of interest, but that also seems like a deadend. Any hints?

@AgustinCB said:
So I found a service and I was able to get a list of valid endpoints in such a service. However, every time I try to access those endpoints, I get a message saying error connecting to database.

Am I in the right path? I can’t find anything else of interest, but that also seems like a deadend. Any hints?

That sounds like somebody broke something. Try a reset.

Hi Guys,

Been hammering away at this for sometime now and I’m starting to think I’m in a rabbit hole. Getting “No permissions to referred object or it does not exist!” error when trying to execute the shell I created. I’m being vague so I don’t spoil it for everyone else, I think it’s because I’m not defining the “hostid”, but I can’t seem to extract this from the system anywhere. PM me if you have any suggestions. Thanks

Thanks to a nudge from tty I’ve managed to root the box. User/Root is straight forward. Good box overall. PM if looking for a nudge.

right, I have some sort of access, aparently in the “wrong place” as I cannot see user.txt. but I don`t understand the whole “Wrong place/right place” thing Anyone want to give me a clue?

ok found the ‘right place’ but not sure how, then from my reverse shell it worked out easier to ding root and then run around and collect all the flags :slight_smile: