Hint for Waldo

This was a good Machine. :smile: Learned something new. Pm for hints if needed.

got the root flag. Thanks @justsome for the hint.

Broke out of rshell. Can anyone give me a hint about getting root now? Dont know what to do with this files :frowning:

EDIT: Nvm got root =) If you need a hint about privesc PM me

got root.

definitely learned a lot. there were so many layers to getting user and root.

pm me if you need help!

@raku said:

Had the same thing at first, then i just subsituted

“:%s/\n/\r/g”
I had to also substitute backslashes
“:%s/\//g”
(when done in vim… sed is probably slightly different).
The key should then be in the proper format

This hint is prime, thank you @raku

Anyone get an actual root shell? Not just the root flag?

Okay, I finally got root on this box, thanks to @Baikuya and @dualfade for the help. You can only get the root flag and not a root shell.
Honestly this box was very frustrating and it’s not the fault of the creators by any means but mine. Everything that was needed to own this box was new to me. My hints for this box are:

For user, it’s basic directory traversal. Try to intercept and modify the requests you make to the web server. Look at what is being called and read inside the scripts that are run - see how you can bypass the filters those scripts use to prevent you from performing what you want to do. Then ssh tunneling can take you to the correct user. If you’ve done DevOops, the method of getting in to this box is similar to it.

For root, you can use the programs inside the user’s folder to break out of jail. Try each of them and look up how you can break out with them. Afterwards, getcap is key - try to find where it’s located and run it from its path.

Some of the posts in this thread may help a bit as well.

If anyone needs help with this box feel free to PM me.

Can anyone give me a hint on what is needed for the first step of priv sec? I understand its something to do with getting to m****** user but very lost on what to do here.
Edit: NVM overcomplicated it
Edit: Got root thanks @Baikuya for the hints!

Can you guys load this box for more than 3 seconds at a time? seems like somebody is sitting on the reset button and im going to have a stroke over it. its been hours and hours now. up for 10 seconds, down for a minute.

Hi, I need help in how to read the file that I was able to locate like the html and localhost.

@drywaterv2 said:
Okay, I finally got root on this box, thanks to @Baikuya and @dualfade for the help. You can only get the root flag and not a root shell.
Honestly this box was very frustrating and it’s not the fault of the creators by any means but mine. Everything that was needed to own this box was new to me. My hints for this box are:

For user, it’s basic directory traversal. Try to intercept and modify the requests you make to the web server. Look at what is being called and read inside the scripts that are run - see how you can bypass the filters those scripts use to prevent you from performing what you want to do. Then ssh tunneling can take you to the correct user. If you’ve done DevOops, the method of getting in to this box is similar to it.

For root, you can use the programs inside the user’s folder to break out of jail. Try each of them and look up how you can break out with them. Afterwards, getcap is key - try to find where it’s located and run it from its path.

Some of the posts in this thread may help a bit as well.

If anyone needs help with this box feel free to PM me.

I’ve been stuck on this final part for almost half a day now and I’m pulling my hair out.
I know the difference between the two programs, but the other (utility) binaries seem to have the same abilities. Due to a lack of permissions I can’t seem to find a way to abuse it and read root.txt

I can browse all the filesystem using did.php and escaping the parameter. But struggling to read the content of any file using f***d.php. Is escape sequence same for both calls?

@s4m3sh said:
I can browse all the filesystem using did.php and escaping the parameter. But struggling to read the content of any file using f***d.php. Is escape sequence same for both calls?

Yes, might want to double check your parameters

thanks

Spoiler Removed - egre55

I have no***** shell, any hints to mo***** user?

Update : Rooted thanks all

I got root flag already, but there are two things that bothers me:

  • Even though it was not intended, is possible to get privesc?
  • WTF Does steghide do in background image? O.o Anyone found key for that?

Got the root flag . Is it possible to get root shell ? Could someone give some hints?

I can’t seem to format it properly. I have tried cat dirty_file | sed ‘s/\n/\n/g’ | sed ‘s/\//g’ > clean_file and “:%s/\n/\r/g” I had also tried to substitute backslashes “:%s/\//g”
(when done in vim… sed is probably slightly different) as some users have stated in this post. None of them seem to work for me as I am still getting the bad format error. I have looked through the file, but I don’t notice any other bad chars. I know for a fact that I got the write key. I located the .m* file inside of the home directory.

Would someone mind shooting me a PM? I feel like I am losing it.

Logged in as M******.
Stuck in the bash.
Need help to get out of the jail and PE?