Hint for Waldo

11314161819

Comments

  • Just out of curiosity... are people really becoming physical root or just taking the flag and calling it a day ?

  • @dualfade said:
    Just out of curiosity... are people really becoming physical root or just taking the flag and calling it a day ?

    Root shell is not possible. People are only getting the flag and calling it "root"

  • @snowman418 said:

    @dualfade said:
    Just out of curiosity... are people really becoming physical root or just taking the flag and calling it a day ?

    Root shell is not possible. People are only getting the flag and calling it "root"

    I see. Makes sense.. I'm new to the CTF style systems.

    Thanks !

  • Got root :tired_face: :D .
    Overlooked so many things.
    So make sure you check dirs few times, go and see what you might have missed. Can't emphasize more. Everything is right in front of you.

    PM if you need a hint.

  • I can't for the life of me escape jail. Feel like I've tried everything now.
    Can someone give me a nudge?

  • @s1gh said:
    I can't for the life of me escape jail. Feel like I've tried everything now.
    Can someone give me a nudge?

    https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

  • So I feel kinda dumb, but I also am a bit tired. However, I have managed to escape the string so I can read the contents of any directory. However, with the read file function, not only does it not let me escape to read a certain file, but it's IN the php file to be checked. Looks like it checks to see if you are trying to read that file, and if so, it returns false. Can anyone PM me a hint on what to do so I can read the file I need?

    publicist

  • @publicist said:
    So I feel kinda dumb, but I also am a bit tired. However, I have managed to escape the string so I can read the contents of any directory. However, with the read file function, not only does it not let me escape to read a certain file, but it's IN the php file to be checked. Looks like it checks to see if you are trying to read that file, and if so, it returns false. Can anyone PM me a hint on what to do so I can read the file I need?

    Check your PMs.

  • edited November 2018

    Thanks to @TazWake and @raystr ! But something is up with the box not letting me grab the keys from /etc. Already have the public ones from the home folder.

    Anyone else have this issue?

    EDIT: Scratch that. Not important. Wasn't looking hard enough for a file that was right in front of me.

    publicist

  • edited November 2018

    @s1k said:
    this should come in handy for anyone needing to remove newline and escape characters in a file they might hypothetically find somewhere:

    cat dirty_file | sed 's/\\n/\n/g' | sed 's/\\//g' > clean_file

    This is great. Thank you!

    EDIT: r00ted. Thanks to those that helped me and gave hints along the way. I really liked the user portion of this box and I like the concept of root, but I think a better app would have made it easier to wrap my head around it. When I was looking at tic TAC toe, I had no idea what that did. But, there's a great example where someone wants a file they don't have access to, so they tar it instead and then untar it and viola. Oh well, still learned a lot about what can access what. It's like having a really good friend who is an app with access to the entire kingdom! :)

    publicist

  • I didn't like the first step after obtaining user, but aside from that it was a nice box, made me learn something that I'll check from now on.

    Uvemode
    OSCP | eCPPT |

  • I can't get over the initial step. So I am using ZAP proxy to meddle with the POST requests but all I can get is list of files in the html/ directory and there are no user.txt files there that everybody is talking about. So how am I suppose to use the fileRead.php and to read what? Also I cant traverse beyond the parent directory. I appreciate any tips how to get past this.

    Arrexel

  • Okay, i got to the m****** user, I broke out of jail, and now I have no idea for root. I read about linux capabilities and so on but i have no idea how I could use that. Anyone have a hint?

    drywaterv2

  • edited November 2018

    @Laur said:
    I can't get over the initial step. So I am using ZAP proxy to meddle with the POST requests but all I can get is list of files in the html/ directory and there are no user.txt files there that everybody is talking about. So how am I suppose to use the fileRead.php and to read what? Also I cant traverse beyond the parent directory. I appreciate any tips how to get past this.

    Yes you can. What helped me is writing down what the script is looking for and removing. Remember, it only removes certain parts.
    https://tipstrickshack.blogspot.com/2013/02/how-to-bypassing-filter-to-traversal_8831.html has some good tips for this part.

    Also, burp suite is very useful for this over ZAP

  • edited November 2018

    removed

  • Rooted the box.
    If anyone is stuck or needs a hint feel free to PM me.

    Baikuya
    OSCP

  • edited November 2018

    I don´t know why everyone is talking about a m***** user. Im logged in as n***** and theres no user m***** in the passwd file. Also everyone is talking about a special file i cant find. Im looking for that file for hours now. Please give me a hint :(

    EDIT: Forget it! Im logged with m***** now.

    xeto

  • edited November 2018

    someone help me pls? i m stuck priv.. pm pls.

    Edit: i got .if u need help , pm me. but pls send priviate message on main page..

  • Thanks @Baikuya for giving me tips on getting the user! Now time to get root!

    Arrexel

  • Any tips on root guys? Got out of "jail" and I have enumerated those files in home directory but no clue how are they gonna help me get to root.

    Arrexel

  • got r00t! Thanks @justsome for pointing me in the right direction. I learned a lot with this box and spent a whole day on this :dizzy:

    Arrexel

  • This was a good Machine. :smile: Learned something new. Pm for hints if needed.

    Draco123

  • got the root flag. Thanks @justsome for the hint.

  • edited November 2018

    Broke out of rshell. Can anyone give me a hint about getting root now? Dont know what to do with this files :(

    EDIT: Nvm got root =) If you need a hint about privesc PM me

    xeto

  • got root.

    definitely learned a lot. there were so many layers to getting user and root.

    pm me if you need help!

  • edited November 2018

    @raku said:

    Had the same thing at first, then i just subsituted

    ":%s/\\n/\r/g"

    I had to also substitute backslashes

    ":%s/\\//g"

    (when done in vim... sed is probably slightly different).

    The key should then be in the proper format

    This hint is prime, thank you @raku

    0x1ns1d3

  • edited November 2018

    Anyone get an actual root shell? Not just the root flag?

  • edited November 2018

    Okay, I finally got root on this box, thanks to @Baikuya and @dualfade for the help. You can only get the root flag and not a root shell.
    Honestly this box was very frustrating and it's not the fault of the creators by any means but mine. Everything that was needed to own this box was new to me. My hints for this box are:

    For user, it's basic directory traversal. Try to intercept and modify the requests you make to the web server. Look at what is being called and read inside the scripts that are run - see how you can bypass the filters those scripts use to prevent you from performing what you want to do. Then ssh tunneling can take you to the correct user. If you've done DevOops, the method of getting in to this box is similar to it.

    For root, you can use the programs inside the user's folder to break out of jail. Try each of them and look up how you can break out with them. Afterwards, getcap is key - try to find where it's located and run it from its path.

    Some of the posts in this thread may help a bit as well.

    If anyone needs help with this box feel free to PM me.

    drywaterv2

  • edited November 2018

    Can anyone give me a hint on what is needed for the first step of priv sec? I understand its something to do with getting to m****** user but very lost on what to do here.
    Edit: NVM overcomplicated it
    Edit: Got root thanks @Baikuya for the hints!

  • Can you guys load this box for more than 3 seconds at a time? seems like somebody is sitting on the reset button and im going to have a stroke over it. its been hours and hours now. up for 10 seconds, down for a minute.

Sign In to comment.