Curling

This one was nice and easy. It’s fun to have one of those once in a while. Never heard about magic numbers before, so i even learned something new today.

This box is getting fucked-up by many ppl (tons of reset or spoils) so I’m wondering how many people got user with full pre exploitation :thinking:

I Am Stuk at Pabap file
And also not knpw what i do with secre
.txt ?

@Amzker said:
I Am Stuk at Pabap file
And also not knpw what i do with secre
.txt ?

PM me =)

If you’re stuck on priv esc try to find a way or write a script to capture what exactly is happening and go from there, then it’s quite simple.

Nice machine. User is quite easy. Root was even easyer :-).

Now I can see I’m learning …

Nice machine @L4mpje !

Saying my php is “unsafe”, how can i bypass? Have tried allowing php in options

Edit: Spent a few hours on this. I’m overlooking something. Can somebody help

Had a crack at this one - took 10 mins to get user, that part was simple

Now to have a look at root

finally got root.txt, thanx to @Ahm3dH3sham for the hint , but still i am so Curious how to have access to Shell Root, i just found hash of root.txt, LOL

@hemlock said:
Huuum, I’m stuck on the file p*******_*****p.txt

I think I have a way to go through it but I need an advice on how to use it. If anyone could give me an advice by PM, would be fine :slight_smile:

Thanks a lot ^^

same here, i can see the magic number and from my point of view it should be a b**.file i renamed it and tries to decompress, nothing works

EDIT : i got it

@Sekisback said:

@hemlock said:
Huuum, I’m stuck on the file p*******_*****p.txt

I think I have a way to go through it but I need an advice on how to use it. If anyone could give me an advice by PM, would be fine :slight_smile:

Thanks a lot ^^

same here, i can see the magic number and from my point of view it should be a b**.file i renamed it and tries to decompress, nothing works

did you check what sort of FILE it is and use the correct command to decompress ?

Nevermind, I wasn’t connected to the VPN and apparently 10.10.10.150 is a public facing cisco admin panel (wink wink).
what happened to Joomla? I did a little recon on the box a couple of days ago it was running wordpress now the website’s root directs to “Cisco DPC3825 DOCSIS 3.0 Data Gateway”. I already issued a reset request in case someone might have messed with it. However it hasn’t done anything yet. Did the creator alter the machine ?

@sahil said:
Nevermind, I wasn’t connected to the VPN and apparently 10.10.10.150 is a public facing cisco admin panel (wink wink).
what happened to Joomla? I did a little recon on the box a couple of days ago it was running wordpress now the website’s root directs to “Cisco DPC3825 DOCSIS 3.0 Data Gateway”. I already issued a reset request in case someone might have messed with it. However it hasn’t done anything yet. Did the creator alter the machine ?

OK…
That is a private subnet, so no it is not a public facing admin panel!

Have you checked your routes, or your local subnet? - I think its your wireless residential gateway or access point.

I manged to get root.txt but couldn’t really figure out how to get a proper root shell even though I worked out what was happening. (maybe I haven’t fully understood what was going on, would love someone to give me a tip or two on how to actually get the full root shell)

EDIT: I just learned what is going on.

after one day I passed the pa******_b***** this dirty little ■■■■■■■ now i got the user.txt
Thx to Rickter, ZaphodBB and hemlock for pushing in the right direction.

But for the root.txt i have no idea.

@paddy said:
Have a shell but no escape is working and can’t su to the user whose creds I have. Pm if you can help

Did you find a way to escape? I’m in the same situation

I have the shell, any clue about how to “escape”

I’ve been trying to brute force a login, and hydra keeps erroring out, am I wasting my time?