Hint for Waldo

Okay, i got to the m****** user, I broke out of jail, and now I have no idea for root. I read about linux capabilities and so on but i have no idea how I could use that. Anyone have a hint?

@Laur said:
I can’t get over the initial step. So I am using ZAP proxy to meddle with the POST requests but all I can get is list of files in the html/ directory and there are no user.txt files there that everybody is talking about. So how am I suppose to use the fileRead.php and to read what? Also I cant traverse beyond the parent directory. I appreciate any tips how to get past this.

Yes you can. What helped me is writing down what the script is looking for and removing. Remember, it only removes certain parts.
How to Bypassing Filter to Traversal Attacks ? | Hacking & Tricks has some good tips for this part.

Also, burp suite is very useful for this over ZAP

removed

Rooted the box.
If anyone is stuck or needs a hint feel free to PM me.

I don´t know why everyone is talking about a m***** user. Im logged in as n***** and theres no user m***** in the passwd file. Also everyone is talking about a special file i cant find. Im looking for that file for hours now. Please give me a hint :frowning:

EDIT: Forget it! Im logged with m***** now.

someone help me pls? i m stuck priv… pm pls.

Edit: i got .if u need help , pm me. but pls send priviate message on main page…

Thanks @Baikuya for giving me tips on getting the user! Now time to get root!

Any tips on root guys? Got out of “jail” and I have enumerated those files in home directory but no clue how are they gonna help me get to root.

got r00t! Thanks @justsome for pointing me in the right direction. I learned a lot with this box and spent a whole day on this :dizzy:

This was a good Machine. :smile: Learned something new. Pm for hints if needed.

got the root flag. Thanks @justsome for the hint.

Broke out of rshell. Can anyone give me a hint about getting root now? Dont know what to do with this files :frowning:

EDIT: Nvm got root =) If you need a hint about privesc PM me

got root.

definitely learned a lot. there were so many layers to getting user and root.

pm me if you need help!

@raku said:

Had the same thing at first, then i just subsituted

“:%s/\n/\r/g”
I had to also substitute backslashes
“:%s/\//g”
(when done in vim… sed is probably slightly different).
The key should then be in the proper format

This hint is prime, thank you @raku

Anyone get an actual root shell? Not just the root flag?

Okay, I finally got root on this box, thanks to @Baikuya and @dualfade for the help. You can only get the root flag and not a root shell.
Honestly this box was very frustrating and it’s not the fault of the creators by any means but mine. Everything that was needed to own this box was new to me. My hints for this box are:

For user, it’s basic directory traversal. Try to intercept and modify the requests you make to the web server. Look at what is being called and read inside the scripts that are run - see how you can bypass the filters those scripts use to prevent you from performing what you want to do. Then ssh tunneling can take you to the correct user. If you’ve done DevOops, the method of getting in to this box is similar to it.

For root, you can use the programs inside the user’s folder to break out of jail. Try each of them and look up how you can break out with them. Afterwards, getcap is key - try to find where it’s located and run it from its path.

Some of the posts in this thread may help a bit as well.

If anyone needs help with this box feel free to PM me.

Can anyone give me a hint on what is needed for the first step of priv sec? I understand its something to do with getting to m****** user but very lost on what to do here.
Edit: NVM overcomplicated it
Edit: Got root thanks @Baikuya for the hints!

Can you guys load this box for more than 3 seconds at a time? seems like somebody is sitting on the reset button and im going to have a stroke over it. its been hours and hours now. up for 10 seconds, down for a minute.

Hi, I need help in how to read the file that I was able to locate like the html and localhost.

@drywaterv2 said:
Okay, I finally got root on this box, thanks to @Baikuya and @dualfade for the help. You can only get the root flag and not a root shell.
Honestly this box was very frustrating and it’s not the fault of the creators by any means but mine. Everything that was needed to own this box was new to me. My hints for this box are:

For user, it’s basic directory traversal. Try to intercept and modify the requests you make to the web server. Look at what is being called and read inside the scripts that are run - see how you can bypass the filters those scripts use to prevent you from performing what you want to do. Then ssh tunneling can take you to the correct user. If you’ve done DevOops, the method of getting in to this box is similar to it.

For root, you can use the programs inside the user’s folder to break out of jail. Try each of them and look up how you can break out with them. Afterwards, getcap is key - try to find where it’s located and run it from its path.

Some of the posts in this thread may help a bit as well.

If anyone needs help with this box feel free to PM me.

I’ve been stuck on this final part for almost half a day now and I’m pulling my hair out.
I know the difference between the two programs, but the other (utility) binaries seem to have the same abilities. Due to a lack of permissions I can’t seem to find a way to abuse it and read root.txt