Teacher

1235719

Comments

  • Hi, I got root.txt not the wildest way i expected. Someone please help me with root shell.

  • @Ruri said:
    My advice for everyone is just to move on to another box. This is a complete CTF nightmare factory and is not realistic in any sense of the word. If you're prepping for OSCP or trying to hone real-life pentesting skills, you are wasting your time here.

    I don't entirely agree with this, it's a bit 50/50. Yes, the initial part is pretty silly and very very CTF. The getting shell part is something that can happen in real life. Then the creator made another poor choice with how to get the password (very ctf again).
    I can see the Priv esc part happen in real life as well, because it is just poor scripting which does happen allot.

  • Rooted the box :)

  • Interesting box ... shell can be a bit of a time monster. However, I did like the priv esc.

    GreysMatter

  • @deleite said:

    @Baikuya said:

    @deleite said:

    @Phrenesis2k said:

    @Sekisback said:
    found hidden txt from G*** made a passlist with all chars according to the txt. used his first Name as user. tried it hydra and burp. nothing found :grey_question:

    Username is case sensitive. So try again. ;)

    According to my tests, it's not.

    It is case sensitive on the login Page !

    I managed to log in with 'Gio*****' and 'gio****' and the same password.

    somone changed Creds then. You were lucky

    Baikuya
    OSCP

  • edited December 2018

    any hint on root? Can't find 'running prog' everyone's mentioning.

    edit: thanks to @jkr , moving on

  • edited December 2018

    I think someone put the root and user flag readable for everyone
    ...
    now that I get the box, I understand that this is one of the great defects of this box. I'm sure that many, like me, will end up getting on the flag effortlessly because of this

  • what is wrong with this box? the commands which worked before are not giving an rce anymore

    Hack The Box

  • @zombie said:
    what is wrong with this box? the commands which worked before are not giving an rce anymore

    Try changing the name of your parameter.

  • edited December 2018

    @Ruri said:
    My advice for everyone is just to move on to another box. This is a complete CTF nightmare factory and is not realistic in any sense of the word. If you're prepping for OSCP or trying to hone real-life pentesting skills, you are wasting your time here.

    Spoiler Removed - egre55

  • edited December 2018

    Spoiler Removed - egre55

    I'll grant you that the rest of the box was much more interesting, after I completed it. I was just very frustrated with the initial portion.

  • @Ruri said:

    @kindred said:

    @Ruri said:
    My advice for everyone is just to move on to another box. This is a complete CTF nightmare factory and is not realistic in any sense of the word. If you're prepping for OSCP or trying to hone real-life pentesting skills, you are wasting your time here.

    The only CTF-y part is the initial text file playing as an image file. Everything else is pretty interesting, and the RCE in particularly was pretty difficult to get right.

    I'll grant you that the rest of the box was much more interesting, after I completed it. I was just very frustrated with the initial portion.

    Yeah, I found it pretty quickly by accident so I didn't mind it too much, but I had the exact feeling you have for this box with Frolic; Just pointless, CTF-y nonsense imo.

  • I'm trying to be an evil teacher but can't get the reverse shell. someone plz PM me. Thanks!!

  • Hey,
    I did the same like the vid but doesn'tt work... Any pm for me ?

  • Anyone able to pm me? I've found the way I think to get root, but need help on the exact syntax

  • A Hint for the people with the initial shell but without the user flag:
    To get the flag you need access and a leet idea (or is it spelled id?).

    If you ask for help, show your workings and what you've tried or I won't reply.

  • edited December 2018

    Any hints for getting root?

    xeto

  • guyz how we find last char of pass. i created script and guess all chars. but still didnt work. help me

  • @ZeusBot said:
    guyz how we find last char of pass. i created script and guess all chars. but still didnt work. help me

    did you try all the letters, capital case and lower case and symbols? did you check if the login is correct? (Capital or lower case)

    Fun times are bound to end. - Korosensei

  • Guyz can u tell me how to find a password g* in shell. i was devil and i grab the shell. im struck in there.

  • Feel free to PM me if you're running into issues.

  • edited December 2018

    I'm lost on the priv esc to root. I thought it the issue was going to be something "wild" with the "extraction" or something down the wrong binary "path", but I cannot get either of those two attack vectors to work correctly. I also cannot locate the "script" that is actually doing any of this so my attempts are blind. Where did I go wrong?

    EDIT: Got it. Thanks @DaChef 's comment pointed me in the right direction. If you cannot get wild maybe you can have it look someplace else

  • Rooted :)

    Initial Foothold:

    As some people say in this thread it is necessary to search the Login Page, but it is not necessary to use Hydra or Bruteforce for the password, what you are looking for is in the Blackhat HS...

    User:
    Actually I could not with the initial flag, but maybe it could be trying, trying and trying ...? Or maybe you have to search for "something" on the server that allows me to be G ** (any hint?)

    Root
    I saw this escalation method on another machine, it's all about looking for an unusual file on the server, using a privilege escalation enumeration script and you'll notice something strange

  • @samsepi0l said:
    Rooted :)

    Initial Foothold:

    As some people say in this thread it is necessary to search the Login Page, but it is not necessary to use Hydra or Bruteforce for the password, what you are looking for is in the Blackhat HS...

    User:
    Actually I could not with the initial flag, but maybe it could be trying, trying and trying ...? Or maybe you have to search for "something" on the server that allows me to be G ** (any hint?)

    Root
    I saw this escalation method on another machine, it's all about looking for an unusual file on the server, using a privilege escalation enumeration script and you'll notice something strange

    This has been the best hint so far imo. Thanks.

    --Skunkfoot

  • The initial foothold and Getting user eats most of the time. Getting user has more struggle than root. Also, with all the resets on the free server, maintaining shell was tough.

    Overall, Okay-ish machine. Well, In the end, learned something new. Pm for hints if needed.

    Draco123

  • edited December 2018

    It took me quite a while to finish this box, mostly because I got very fed up with constant resets and having to go through all steps to get a shell again... Even on VIP, this kinda ruined the fun for me.

    The initial steps of the box aren't that realistic, but overall it's still pretty kinda educational as it touches several techniques and there's different ways of getting root.

    For foothold&user: make sure you enum the website properly. The site isn't actually big and what you're looking for stands out a lot, so this really shouldn't be an issue. Then, use the hint that has been given earlier regarding 'being evil'. Then, continue enumerating.
    For root: There is something going on in your home folder (which is pretty easy to find as your home folder isn't so big). Find out what's triggering it, go through it properly and think of ways to exploit it.

    Thanks to @Center for some hints!

  • I'm trying to be evil, but I can't seem to get it right. If anyone's able to lend a hand via PM, it would be appreciated.

  • Anyone care to answer a question about intial foothold Im 99.9% sure I know where Im supposed to be looking but it won't work.....I have reset the box also

  • edited December 2018

    @hray & @iCk read the POC and understand it. then just try getting RCE in various ways. always start with the command PING IP since it has no special characters and you can confirm you have RCE with it (tcpdump for ping on your local host). once you get ping to work, you know you have RCE and can work on a shell from there. i'm not 100% sure, but I think if you do ping without -c 1 it hangs the server, so better to add that just incase, so you dont have to revert. I also believe the webshells spawned hangs the server as well, resulting in all the reverts

  • @cpazzolin said:
    I think someone put the root and user flag readable for everyone
    ...
    now that I get the box, I understand that this is one of the great defects of this box. I'm sure that many, like me, will end up getting on the flag effortlessly because of this

    Given that the machines are shared, its to be expected. whenever i get a root trivially, I always revert, and try to exploit again, just to be sure I got it the intended way. if not, then ill know once I revert, and I can give it a go without 'an assist'.

Sign In to comment.