Chaos

1356717

Comments

  • I have mixed feelings with this box. The privesc was very straightforward and is likely something you'd see someone do in a real world scenario, but the initial foothold was just odd. PM me if you are totally stuck and need a nudge, but the hints in this thread are very helpful.

    billbrasky

  • After getting user I have to agree with the majority of opinions on this thread that this is a massively CTF oriented box and at a few steps I was purely in disbelief at the approach this box took. Thanks to the few that provided me with some hints!!

  • edited December 2018

    When you've found w*****l creds, look closely at your nmap scan and think of ways to utilize the service running with a known tool.

    tiger5tyle

  • edited December 2018

    Rooted.

    Learnt a few new things from this. Thanks @sahay

  • Chill out guys, the box was not that bad. I actually enjoyed it. My thank to the author sahay for the box.
    Some hints:
    - User: enumeration, use the information you found on one service for the other (at some point it might require some guessing, but no crazy bruteforcing required).
    Once decrypt the encrypted, RCE on the service would give you shell. Then going to user is straightforward (might need escaping/or not, I didn't need to).
    - Root: everything you need is right in front of you. You should be able to find the thing that user saved one specific application.
    PM if you need a nudge.

  • Guys I found the encryted file and the encryptor, But I really dont know how to decrypt.

    Please give me some hints

    xterm

  • > @xterm said:
    > Guys I found the encryted file and the encryptor, But I really dont know how to decrypt.
    >
    > Please give me some hints

    First check what encryption cipher is used. Let’s just pretend for now the cipher is a symmetric cipher. In that case the secret to encrypt and decrypt is the same. Some ciphers also need an initilization vector (usually called IV) that gets into the calculation as well an needs to be the same for both the encrypt and decrypt operation too.

    Now given you have a let’s say python skeleton where some of the parts of the encryption scheme can be seen, i.e. the encryption part. I‘d first try to find out how the encryption part works by making a fully working example: add needed imports (if you don’t know the libs, just ask Mr. Google), call the functions that are in the skeleton and encrypt a file. Some debug and xxd output of the encrypted file might help understand what data gets written to what part of the encrypted file.

    Now work the steps back: Write a decrypt function that gets all parts needed for decrypt function from what you have. Some might be in the encrypted file (i.e. the chunk of ciphered text, ...), some might be unknown and might need brute-forcing or guessing/reading what you have :wink:. Pay attention to what happens to input in the encryptor - some cipher functions need aligned input so sometime the coder just uses some functions that convert user input into aligned output (hash functions come in handy sometimes).

    This worked for me although I am not too familiar with the scripting language that was needed here. It is mostly a matter of doing the steps in reverse order.
  • OR just use some google-fu and find exactly the same script with the decrypt function already written...

    decart

  • Anyone got a hint how to 'exploit' the thingy on the long url?

    center

  • @decart said:
    OR just use some google-fu and find exactly the same script with the decrypt function already written...

    So then it's easier for all of you.

    I did not google - just did some dd and y in vim and came to a brute-force script in about 5 minutes. Then I realized that I do not need to brute-force as the password is given in text :wink: - so I just included this single password in my password.lst in the script :joy:

  • edited December 2018

    Anyone got any tips? Found w******n but can't seem to find any creds.

  • Where are these creds that people seem to have found?

  • edited December 2018

    @ko260 said:
    Where are these creds that people seem to have found?

    Exactly. I spent all day running gobuster / cewl and guessing. Reset the box. Still Nothing. I suck at guessing.

  • Anyone mind sharing a hint for what to do after decrypting. Cant seem to find the place mentioned for P**

  • @dualfade said:

    @ko260 said:
    Where are these creds that people seem to have found?

    Exactly. I spent all day running gobuster / cewl and guessing. Reset the box. Still Nothing.

    I found them in the end, this is a strange box imo. I now have the creds and have logged in one P**3 service but nothing in there :(

  • @ko260 said:

    @dualfade said:

    @ko260 said:
    Where are these creds that people seem to have found?

    Exactly. I spent all day running gobuster / cewl and guessing. Reset the box. Still Nothing.

    I found them in the end, this is a strange box imo. I now have the creds and have logged in one P**3 service but nothing in there :(

    You're ahead of me then hah

  • Huh... thanks @k0260 The reset must have done something. odd.

  • @xterm said:
    Guys I found the encryted file and the encryptor, But I really dont know how to decrypt.

    Please give me some hints

    You can also use the 'default command line tool for all things crypto'. It has some issues with the beginning of the file but I did not bother to sort them out. The actual content is decrypted correctly using a single command.

    Using the scripting language is the 'right' solution I guess, but I was curious if I could quickly get it to work using the other tool.

  • no idea where ze creds either :/

  • Guys if someone managed to decrypt the file PM i am stuck i wrote the decryptor and tried the password that came along with the file but i am still stuck

  • jkrjkr
    edited December 2018

    So if someone could PM me about the rb*** of user ay***. It is not working as it is expected to work by the creator of the box: I can use it freely, no restrictions.

    I'd be happy to know how I escaped that feature without even trying :joy:. Thanks!

  • so i got shell as ww***** but i can't seem to go any further in the system. did i get shell incorrectly or just need to enumerate more from this foothold?

  • Okay into user.txt, this box does not seems like a easy one, at least for me and for the other noobs out there! Anyway If any help needed you can pm me "BUT FIRST SAY WHAT YOU HAVE DONE" :)

    Work hard in silence, let your success be your noise

  • edited December 2018

    Okay!!!This box was more fun than i anticipated! Priv esc was quite nice :D

  • Hey guys, please could someone drop me a hint on the decryption? In all honesty... i have no idea!

    If someone was helpful, don't forget to give +1 Respect.
    Arrexel

  • That was a very cool box. I really didn't like the password guess work in the beginning but as a whole this is a very well done machine. Not sure why others are saying diff. Just my 2 cents.

    The RCE type was new for me; Really dug that.
    Root; Was... Definitely very cool. At least I thought so.

  • hi guys, any ideas to scape rbash?

    Hack The Box

  • Finally rooted.

    User: It will Chaos you. Make sure you gobust everything instead sticking to domains and identify the open source thing. From there everything straightforward which involved multi steps like decryption, later injection, shell escape and user. Not much realistic :(

    Root: Once you got user you can see it infront of your nose. Then think how you use lazy feature in browser to see it.

    MrR3boot
    Learn | Hack | Have Fun

  • edited December 2018

    This box is... frustrating to say the least. I decrypted the thing, but what am I supposed to do with p** c***** s******? The URL seems like a troll.. any hints in PM would be appreciated as I'm fresh out of magic to solve this mystery..

    Edit: nevermind, was having DNS issues

Sign In to comment.