Teacher

Any hints for getting root?

guyz how we find last char of pass. i created script and guess all chars. but still didnt work. help me

@ZeusBot said:
guyz how we find last char of pass. i created script and guess all chars. but still didnt work. help me

did you try all the letters, capital case and lower case and symbols? did you check if the login is correct? (Capital or lower case)

Guyz can u tell me how to find a password g* in shell. i was devil and i grab the shell. im struck in there.

Feel free to PM me if you’re running into issues.

I’m lost on the priv esc to root. I thought it the issue was going to be something “wild” with the “extraction” or something down the wrong binary “path”, but I cannot get either of those two attack vectors to work correctly. I also cannot locate the “script” that is actually doing any of this so my attempts are blind. Where did I go wrong?

EDIT: Got it. Thanks @DaChef 's comment pointed me in the right direction. If you cannot get wild maybe you can have it look someplace else

Rooted :slight_smile:

Initial Foothold:

As some people say in this thread it is necessary to search the Login Page, but it is not necessary to use Hydra or Bruteforce for the password, what you are looking for is in the Blackhat HS…

User:
Actually I could not with the initial flag, but maybe it could be trying, trying and trying …? Or maybe you have to search for “something” on the server that allows me to be G ** (any hint?)

Root
I saw this escalation method on another machine, it’s all about looking for an unusual file on the server, using a privilege escalation enumeration script and you’ll notice something strange

@samsepi0l said:
Rooted :slight_smile:

Initial Foothold:

As some people say in this thread it is necessary to search the Login Page, but it is not necessary to use Hydra or Bruteforce for the password, what you are looking for is in the Blackhat HS…

User:
Actually I could not with the initial flag, but maybe it could be trying, trying and trying …? Or maybe you have to search for “something” on the server that allows me to be G ** (any hint?)

Root
I saw this escalation method on another machine, it’s all about looking for an unusual file on the server, using a privilege escalation enumeration script and you’ll notice something strange

This has been the best hint so far imo. Thanks.

The initial foothold and Getting user eats most of the time. Getting user has more struggle than root. Also, with all the resets on the free server, maintaining shell was tough.

Overall, Okay-ish machine. Well, In the end, learned something new. Pm for hints if needed.

It took me quite a while to finish this box, mostly because I got very fed up with constant resets and having to go through all steps to get a shell again… Even on VIP, this kinda ruined the fun for me.

The initial steps of the box aren’t that realistic, but overall it’s still pretty kinda educational as it touches several techniques and there’s different ways of getting root.

For foothold&user: make sure you enum the website properly. The site isn’t actually big and what you’re looking for stands out a lot, so this really shouldn’t be an issue. Then, use the hint that has been given earlier regarding ‘being evil’. Then, continue enumerating.
For root: There is something going on in your home folder (which is pretty easy to find as your home folder isn’t so big). Find out what’s triggering it, go through it properly and think of ways to exploit it.

Thanks to @Center for some hints!

I’m trying to be evil, but I can’t seem to get it right. If anyone’s able to lend a hand via PM, it would be appreciated.

Anyone care to answer a question about intial foothold Im 99.9% sure I know where Im supposed to be looking but it won’t work…I have reset the box also

@hray & @iCk read the POC and understand it. then just try getting RCE in various ways. always start with the command PING IP since it has no special characters and you can confirm you have RCE with it (tcpdump for ping on your local host). once you get ping to work, you know you have RCE and can work on a shell from there. i’m not 100% sure, but I think if you do ping without -c 1 it hangs the server, so better to add that just incase, so you dont have to revert. I also believe the webshells spawned hangs the server as well, resulting in all the reverts

@cpazzolin said:
I think someone put the root and user flag readable for everyone

now that I get the box, I understand that this is one of the great defects of this box. I’m sure that many, like me, will end up getting on the flag effortlessly because of this

Given that the machines are shared, its to be expected. whenever i get a root trivially, I always revert, and try to exploit again, just to be sure I got it the intended way. if not, then ill know once I revert, and I can give it a go without ‘an assist’.

@SW4gb3JkZXIgdG said:

@cpazzolin said:
I think someone put the root and user flag readable for everyone

now that I get the box, I understand that this is one of the great defects of this box. I’m sure that many, like me, will end up getting on the flag effortlessly because of this

Given that the machines are shared, its to be expected. whenever i get a root trivially, I always revert, and try to exploit again, just to be sure I got it the intended way. if not, then ill know once I revert, and I can give it a go without ‘an assist’.

Yeah, I always take great care to reset boxes when I finish if I do something messy like that.

Edit: forgot where I was at. If one reverse shell doesn’t work, try another.

Just want to make sure, but am I crazy, or if you don’t basically copy that thing verbatim the payload won’t work?

Hi guys,

Can someone help me on the privesc? I am really trying to be wild, but it is not working for me. If possible, i want to discuss my findings so far. I really appreciate clarifications. Tks

Edited: Rooted with shell right now!

I’m in as g******* but missing something to read the filesystem. Anyone could help me?
Thank you

@madcap said:
I’m in as g******* but missing something to read the filesystem. Anyone could help me?
Thank you

Try to improve your system enumeration process, like searching for unusual files on common directories.