Hint for Waldo

Got root :tired_face: :smiley: .
Overlooked so many things.
So make sure you check dirs few times, go and see what you might have missed. Can’t emphasize more. Everything is right in front of you.

PM if you need a hint.

I can’t for the life of me escape jail. Feel like I’ve tried everything now.
Can someone give me a nudge?

@s1gh said:
I can’t for the life of me escape jail. Feel like I’ve tried everything now.
Can someone give me a nudge?

So I feel kinda dumb, but I also am a bit tired. However, I have managed to escape the string so I can read the contents of any directory. However, with the read file function, not only does it not let me escape to read a certain file, but it’s IN the php file to be checked. Looks like it checks to see if you are trying to read that file, and if so, it returns false. Can anyone PM me a hint on what to do so I can read the file I need?

@publicist said:
So I feel kinda dumb, but I also am a bit tired. However, I have managed to escape the string so I can read the contents of any directory. However, with the read file function, not only does it not let me escape to read a certain file, but it’s IN the php file to be checked. Looks like it checks to see if you are trying to read that file, and if so, it returns false. Can anyone PM me a hint on what to do so I can read the file I need?

Check your PMs.

Thanks to @TazWake and @raystr ! But something is up with the box not letting me grab the keys from /etc. Already have the public ones from the home folder.

Anyone else have this issue?

EDIT: Scratch that. Not important. Wasn’t looking hard enough for a file that was right in front of me.

@s1k said:
this should come in handy for anyone needing to remove newline and escape characters in a file they might hypothetically find somewhere:

cat dirty_file | sed 's/\\n/\n/g' | sed 's/\\//g' > clean_file

This is great. Thank you!

EDIT: r00ted. Thanks to those that helped me and gave hints along the way. I really liked the user portion of this box and I like the concept of root, but I think a better app would have made it easier to wrap my head around it. When I was looking at tic TAC toe, I had no idea what that did. But, there’s a great example where someone wants a file they don’t have access to, so they tar it instead and then untar it and viola. Oh well, still learned a lot about what can access what. It’s like having a really good friend who is an app with access to the entire kingdom! :slight_smile:

I didn’t like the first step after obtaining user, but aside from that it was a nice box, made me learn something that I’ll check from now on.

I can’t get over the initial step. So I am using ZAP proxy to meddle with the POST requests but all I can get is list of files in the html/ directory and there are no user.txt files there that everybody is talking about. So how am I suppose to use the fileRead.php and to read what? Also I cant traverse beyond the parent directory. I appreciate any tips how to get past this.

Okay, i got to the m****** user, I broke out of jail, and now I have no idea for root. I read about linux capabilities and so on but i have no idea how I could use that. Anyone have a hint?

@Laur said:
I can’t get over the initial step. So I am using ZAP proxy to meddle with the POST requests but all I can get is list of files in the html/ directory and there are no user.txt files there that everybody is talking about. So how am I suppose to use the fileRead.php and to read what? Also I cant traverse beyond the parent directory. I appreciate any tips how to get past this.

Yes you can. What helped me is writing down what the script is looking for and removing. Remember, it only removes certain parts.
How to Bypassing Filter to Traversal Attacks ? | Hacking & Tricks has some good tips for this part.

Also, burp suite is very useful for this over ZAP

removed

Rooted the box.
If anyone is stuck or needs a hint feel free to PM me.

I don´t know why everyone is talking about a m***** user. Im logged in as n***** and theres no user m***** in the passwd file. Also everyone is talking about a special file i cant find. Im looking for that file for hours now. Please give me a hint :frowning:

EDIT: Forget it! Im logged with m***** now.

someone help me pls? i m stuck priv… pm pls.

Edit: i got .if u need help , pm me. but pls send priviate message on main page…

Thanks @Baikuya for giving me tips on getting the user! Now time to get root!

Any tips on root guys? Got out of “jail” and I have enumerated those files in home directory but no clue how are they gonna help me get to root.

got r00t! Thanks @justsome for pointing me in the right direction. I learned a lot with this box and spent a whole day on this :dizzy:

This was a good Machine. :smile: Learned something new. Pm for hints if needed.

got the root flag. Thanks @justsome for the hint.