Hint for Waldo

i’ve got to the part where i’ve escaped the restricted thing, but i can’t execute get/setcap, like everyone is mentioning in this thread. what am i missing?

@avoidy said:

@drywaterv2 said:
I’m having trouble with the initial foothold … I tried directory traversal, adding scripts to the lists but filters are too strong and I can’t get anywhere

Look at the source, from there figure out what file it calls and with what parameters.

I already know these, but I can’t manage to perform the local file inclusion, and I don’t even know where to go when I manage to

Nevermind, I managed to get it working

@drywaterv2 try to use burp and see what happened

can’t get the c*p bins to run in m*****r in order to PE - “No such file or directory”

should i continue trying in this direction?

Got user. It was so easy yet I spent way too much time on it, I feel stupid

Can someone pm me for tips and tricks? Tried several things but stuck on user. I have lot of question, its not my mention to root this box but know several technics to get closer… thx

@evandrix said:
i’ve got to the part where i’ve escaped the restricted thing, but i can’t execute get/setcap, like everyone is mentioning in this thread. what am i missing?

check your PATH

stuck on root, any hints? :disappointed:

Just out of curiosity… are people really becoming physical root or just taking the flag and calling it a day ?

@dualfade said:
Just out of curiosity… are people really becoming physical root or just taking the flag and calling it a day ?

Root shell is not possible. People are only getting the flag and calling it “root”

@snowman418 said:

@dualfade said:
Just out of curiosity… are people really becoming physical root or just taking the flag and calling it a day ?

Root shell is not possible. People are only getting the flag and calling it “root”

I see. Makes sense… I’m new to the CTF style systems.

Thanks !

Got root :tired_face: :smiley: .
Overlooked so many things.
So make sure you check dirs few times, go and see what you might have missed. Can’t emphasize more. Everything is right in front of you.

PM if you need a hint.

I can’t for the life of me escape jail. Feel like I’ve tried everything now.
Can someone give me a nudge?

@s1gh said:
I can’t for the life of me escape jail. Feel like I’ve tried everything now.
Can someone give me a nudge?

So I feel kinda dumb, but I also am a bit tired. However, I have managed to escape the string so I can read the contents of any directory. However, with the read file function, not only does it not let me escape to read a certain file, but it’s IN the php file to be checked. Looks like it checks to see if you are trying to read that file, and if so, it returns false. Can anyone PM me a hint on what to do so I can read the file I need?

@publicist said:
So I feel kinda dumb, but I also am a bit tired. However, I have managed to escape the string so I can read the contents of any directory. However, with the read file function, not only does it not let me escape to read a certain file, but it’s IN the php file to be checked. Looks like it checks to see if you are trying to read that file, and if so, it returns false. Can anyone PM me a hint on what to do so I can read the file I need?

Check your PMs.

Thanks to @TazWake and @raystr ! But something is up with the box not letting me grab the keys from /etc. Already have the public ones from the home folder.

Anyone else have this issue?

EDIT: Scratch that. Not important. Wasn’t looking hard enough for a file that was right in front of me.

@s1k said:
this should come in handy for anyone needing to remove newline and escape characters in a file they might hypothetically find somewhere:

cat dirty_file | sed 's/\\n/\n/g' | sed 's/\\//g' > clean_file

This is great. Thank you!

EDIT: r00ted. Thanks to those that helped me and gave hints along the way. I really liked the user portion of this box and I like the concept of root, but I think a better app would have made it easier to wrap my head around it. When I was looking at tic TAC toe, I had no idea what that did. But, there’s a great example where someone wants a file they don’t have access to, so they tar it instead and then untar it and viola. Oh well, still learned a lot about what can access what. It’s like having a really good friend who is an app with access to the entire kingdom! :slight_smile:

I didn’t like the first step after obtaining user, but aside from that it was a nice box, made me learn something that I’ll check from now on.