Vault

After getting access to D** i can ping vault, i also runned nmap and found out two ports, but they are closed! Dm me any hints! Thnx!

Edit: Rooted!

i think this box is broken, no arp for firewall ip now??

@badman89 said:
i think this box is broken, no arp for firewall ip now??

edit: nvm just being impatient

Feel free to PM me if you are running into issues.

Could anyone help on the o*** file syntax?
I’m really lost trying to make it work for a few hours already.

I writed on it a couple of times and now I can’t write anymore, only timeouts.

I’ve got shell on D**, got some creds and see user.txt file which is empty. Not sure if that meant to be like that? Before I revert and pi** anyone off, so I would check in to see if this is meant to be the case. Thanks guys

As d*** on D** you should have a user.txt. There is an empty one (probably) at the place where you found some credentials, though.

I was root. Got it now. Thought I did a “find /” … perhaps not. Cheers bud. I hate reverting and spoiling for anyone.

I need some hints , anyone PM me :anguished:

I an on D**, and I am completely flummoxed as to how to get over to V****. I see the two closed ports. Anyone feel like DMing me a pointer or two? I’m out of ideas.

EDIT 1: Taking a closer look at a certain log file…

EDIT 2: Ooooh! It looks like I connected… Which is strange since I tried using a similar thing with nmap earlier with no success.

EDIT 3: Yep, I’m in. All the info you need is indeed in the logs not necessarily in the user directories or anything.

The box is fun. I especially like the “box in a box” concept.
But I wonder about getting root.txt: I found it without being root on Vault, even after reset. I assume this is the intended way but would like to know if someone was able to get root on the box, or if I was just lucky (at least 2 times :wink:

I’ve some trouble with shell upload, i try some way … if i upload wrong file i’ve got error message, but if i try other the page is like stuck without any message, is it normal?

edit: rooted
This thread is full of hints already, but giving my two cents:
User: Up to the first reverse shell it’s really straightforward. You then start enumerating everything, you’ll find your way. Read the files and learn lateral movement.

Root: Easier to find, trickier to get. You’ll need to research and to pay more attention to details. One hint is to write down everything you find since the beginning, you never know when or how you might need it.

I’m root on D**…cannot find any root.txt…any hint???

@BlackArrow said:
I’m root on D**…cannot find any root.txt…any hint???

You have got another box to go yet…

fucking awesome box again. Was funny but I don’t want to see it again!!!.

My hints:

User: don’t overthing as did. enumerate file uploads extension. Read this article https://netsec.ws/?p=278 (file free to report if it was a spoil). If you find other service just enumerate again (from the beginning like a new machine), but don’t touch too much or you will lose the information. Be Fucking happy

Root: everything here, so follow instuction. Read the logs, read everything. Copy and paste in a smart way. At this point you are close, all you need is in initial machine. And again be fucking happy

Feel free to report spoil

got root thanks @CHUCHO for the hints on tunneling!!!

@IteXss said:
got root thanks @CHUCHO for the hints on tunneling!!!

ssh tunneling not working here…■■■■ my syntax

I would really appreciate it if someone can PM me and have time to explain to me what really the objective of ssh tunneling is? I’ve read through several posts but i really need question specific answers :slight_smile: thanks in advance

Google Dynamic Port Forwarding (SSH) and you shall receive