Hint for Waldo

Hi, I need help in how to read the file that I was able to locate like the html and localhost.

@drywaterv2 said:
Okay, I finally got root on this box, thanks to @Baikuya and @dualfade for the help. You can only get the root flag and not a root shell.
Honestly this box was very frustrating and it’s not the fault of the creators by any means but mine. Everything that was needed to own this box was new to me. My hints for this box are:

For user, it’s basic directory traversal. Try to intercept and modify the requests you make to the web server. Look at what is being called and read inside the scripts that are run - see how you can bypass the filters those scripts use to prevent you from performing what you want to do. Then ssh tunneling can take you to the correct user. If you’ve done DevOops, the method of getting in to this box is similar to it.

For root, you can use the programs inside the user’s folder to break out of jail. Try each of them and look up how you can break out with them. Afterwards, getcap is key - try to find where it’s located and run it from its path.

Some of the posts in this thread may help a bit as well.

If anyone needs help with this box feel free to PM me.

I’ve been stuck on this final part for almost half a day now and I’m pulling my hair out.
I know the difference between the two programs, but the other (utility) binaries seem to have the same abilities. Due to a lack of permissions I can’t seem to find a way to abuse it and read root.txt

I can browse all the filesystem using did.php and escaping the parameter. But struggling to read the content of any file using f***d.php. Is escape sequence same for both calls?

@s4m3sh said:
I can browse all the filesystem using did.php and escaping the parameter. But struggling to read the content of any file using f***d.php. Is escape sequence same for both calls?

Yes, might want to double check your parameters

thanks

Spoiler Removed - egre55

I have no***** shell, any hints to mo***** user?

Update : Rooted thanks all

I got root flag already, but there are two things that bothers me:

  • Even though it was not intended, is possible to get privesc?
  • WTF Does steghide do in background image? O.o Anyone found key for that?

Got the root flag . Is it possible to get root shell ? Could someone give some hints?

I can’t seem to format it properly. I have tried cat dirty_file | sed ‘s/\n/\n/g’ | sed ‘s/\//g’ > clean_file and “:%s/\n/\r/g” I had also tried to substitute backslashes “:%s/\//g”
(when done in vim… sed is probably slightly different) as some users have stated in this post. None of them seem to work for me as I am still getting the bad format error. I have looked through the file, but I don’t notice any other bad chars. I know for a fact that I got the write key. I located the .m* file inside of the home directory.

Would someone mind shooting me a PM? I feel like I am losing it.

Logged in as M******.
Stuck in the bash.
Need help to get out of the jail and PE?

Can someone please pm me a few hints? Manage to cross the street and read the safe word, removed new lines and escaped chars and tried to login as m***** , public key denied no matter what I do , after a few hours I almost lost hope and in a desperate effort i tried sshing in with n***** which worked straight a way and show a user.txt file which I could read, I feel that someone is messing with the box and I shouldn’t have been able to read that file. Can anyone please let me know if this was the correct way and help me with the ssh key please?

OK , ok got it , syntax error after realising that there is a known_host just for a certain host. Can someone please confirm that my initial foothold was done correctly or I was just lucky reading user.txt as n*****? Not seeing user.txt from m****** makes me believe something is wrong

got user… was confused with user names thought but found the way… On my way to root, tried to enumerate but still nothing :frowning:

@dimhatzi said:
got user… was confused with user names thought but found the way… On my way to root, tried to enumerate but still nothing :frowning:

Do you still need help with root?, if so I can PM you. :slight_smile:

Rooted! Thanks a log @ZaphodBB for assistance, very nice Linux feature that I was’t aware of :slight_smile:

Got root :slight_smile: Thnx @Clmtn for mentoring…
Nice box…

Rooted this box last week, very fun one to do! Requires plenty of research and i learned some new things in the process. :slight_smile: If anyone needs some hints, feel free to message me, i don’t spoil anything, i just nudge you in the right direction.

Going through the thread absolutely helped, finally got root.

  • The user part was where I spent most of the time, problem was using the wrong file. The commands about cleaning the retrieved file in vim were solid.

  • I used this for the last part, was also posted in the thread.
    An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ

  • Just remember to look for the files, because of path!!

Happy to help anyone who needs a nudge :smile:

ikuamike

rooted months ago, anyone interested in talking about alternative hacking ways ? Cheers