Carrier

Stuck at Dia****** page. Don’t really know how to inject a reverse shell there. Can somebody help me ?

@kreskin I’m in the same boat I can change the ch*** variable to navigate through files but can’t execute code, any pm would be greatly appreciated

This machine is driving me crazy. Now tcpdump seems to only give me 74 bytes of packet data even though it says “capture size 262144 bytes” :anguished:

Finally rooted it :slight_smile:

Awesome box, and a complete change from most other challenges! All the hints for what needs to be done are called out within the application. Looks like their fixes aren’t correct! You need to expand on it a little bit and pretend to be a certain service :slight_smile:

As everyone has said, understand the type of machine you’re on, the primary services, and how they’re implemented in this environment. This is a practical attack and can happen both accidentally and intentionally.

Found the 2 docs but cannot login. Cant find any chesis number,

any hint?

I’ve yet to even get a shell on the machine.

I’ve found the non-tcp port everyone has posted about on this thread, and I’ve enumerated it with every script I can find. None of them return any results whatsoever. If somebody could PM me for help with the scripts I’d appreciate it.

Having problem with privsec, can someone sheds me some light for the b*** h*****? Need some help with v****. PM please.

I am stuck with user. I am playing with the check value but I find nothing interesting. I need a hint please

HOLY ■■■■ I’m so glad I rooted this box. I may have gone about rooting it in an unconventional way but I figured out the basic gist of it and managed to get it. Took me about 4 days but I figured it out. I learned quite a lot about a protocol I didn’t have much experience in in the first place. Still though, I can’t wait to see the writeups on this box after it gets retired so I can see how I managed to do it versus everyone else.

Initial foothold was straightforward, par for the course if you’re used to a lot of CtF scenarios. But the privesc…man. Good challenge!

I got user. Thank you all

Can someone help with the payload used for ch*** parameter? Im using b**p to intercept. Then use an encoded payload with netcat listening to the port but cant get it to work. Can i please get some help? PM or here. Thanks

Hi All, as Deus9 posted I am sitting in the same boat. Can someone please assist here I am banging my head against the wall. Please PM me

Rooted! Thanks for those helping me!!!

@Morf said:
Hi All, as Deus9 posted I am sitting in the same boat. Can someone please assist here I am banging my head against the wall. Please PM me

Did you try a simple payload (like pinging your IP with -c 2 :joy: and capturing ICMP on your tun0) to see if the pings arrive and your injection worked? If so, perhaps your payload is off or uses tools that are not on the box.

Hello guys
Ive been struggling for so long on the privesc part. I read all the papers i could find related to the attack but i fail to reproduce it on the box ><
Can someone PM me for some guidance ?
Thanks

I dont know what I’m missing on this one…Discovered s*** running and have been trying to enumerate to find serial #. MSF modules dont yield any information either. Anyone have a tip for getting user?

As mentioned by Jkr. I did a ping test and used Wi**s**** to capture the traffic. It worked but for some reason the I the n* function has no success. Please assist please PM me. Thanks

Finally got this rooted! This was quite interesting and took me back to university network books and what not. Really awesome challange @snowscan !

Got root!!!.. :angry: Got lucky since somebody is working on it…

Lost the fun…