Chaos

Rooted.

I do not know what to think of this box.

Several foolish steps and other interesting … :expressionless:

Thx guys for the directions.

Tip for privesc: The path to root is in front of you. Focus on the files that your user owns. Remember well all the passwords obtained throughout the process. They can be important in several steps.

If there is any spoiler here… feel free to edit my post :slight_smile:

can anyone PM with links that helps in understanding how to decrypt the file ??

I’m stuck. Found w****n and creds but don’t know what to do. Please PM.

Rooted…

This machine is rated easy, not because it is straightforward, but because it does not require any advanced knowledge in pen testing…

I don’t, however, think it will add much knowledge to a beginner trying to learn…

Most of the steps do not require complicated solutions, but rather looking around and eliminating potential solutions one by one until the right one is left.

If you are stuck, need a little help, or need just a nudge in the right direction, PM me and I’ll be glad to help :slight_smile:

I have mixed feelings with this box. The privesc was very straightforward and is likely something you’d see someone do in a real world scenario, but the initial foothold was just odd. PM me if you are totally stuck and need a nudge, but the hints in this thread are very helpful.

After getting user I have to agree with the majority of opinions on this thread that this is a massively CTF oriented box and at a few steps I was purely in disbelief at the approach this box took. Thanks to the few that provided me with some hints!!

When you’ve found w*****l creds, look closely at your nmap scan and think of ways to utilize the service running with a known tool.

Rooted.

Learnt a few new things from this. Thanks @sahay

Chill out guys, the box was not that bad. I actually enjoyed it. My thank to the author sahay for the box.
Some hints:

  • User: enumeration, use the information you found on one service for the other (at some point it might require some guessing, but no crazy bruteforcing required).
    Once decrypt the encrypted, RCE on the service would give you shell. Then going to user is straightforward (might need escaping/or not, I didn’t need to).
  • Root: everything you need is right in front of you. You should be able to find the thing that user saved one specific application.
    PM if you need a nudge.

?

Guys I found the encryted file and the encryptor, But I really dont know how to decrypt.

Please give me some hints

@xterm said:
Guys I found the encryted file and the encryptor, But I really dont know how to decrypt.

Please give me some hints

First check what encryption cipher is used. Let’s just pretend for now the cipher is a symmetric cipher. In that case the secret to encrypt and decrypt is the same. Some ciphers also need an initilization vector (usually called IV) that gets into the calculation as well an needs to be the same for both the encrypt and decrypt operation too.

Now given you have a let’s say python skeleton where some of the parts of the encryption scheme can be seen, i.e. the encryption part. I‘d first try to find out how the encryption part works by making a fully working example: add needed imports (if you don’t know the libs, just ask Mr. Google), call the functions that are in the skeleton and encrypt a file. Some debug and xxd output of the encrypted file might help understand what data gets written to what part of the encrypted file.

Now work the steps back: Write a decrypt function that gets all parts needed for decrypt function from what you have. Some might be in the encrypted file (i.e. the chunk of ciphered text, …), some might be unknown and might need brute-forcing or guessing/reading what you have :wink:. Pay attention to what happens to input in the encryptor - some cipher functions need aligned input so sometime the coder just uses some functions that convert user input into aligned output (hash functions come in handy sometimes).

This worked for me although I am not too familiar with the scripting language that was needed here. It is mostly a matter of doing the steps in reverse order.

OR just use some google-fu and find exactly the same script with the decrypt function already written…

Anyone got a hint how to ‘exploit’ the thingy on the long url?

@decart said:
OR just use some google-fu and find exactly the same script with the decrypt function already written…

So then it’s easier for all of you.

I did not google - just did some dd and y in vim and came to a brute-force script in about 5 minutes. Then I realized that I do not need to brute-force as the password is given in text :wink: - so I just included this single password in my password.lst in the script :joy:

Anyone got any tips? Found w******n but can’t seem to find any creds.

Where are these creds that people seem to have found?

@ko260 said:
Where are these creds that people seem to have found?

Exactly. I spent all day running gobuster / cewl and guessing. Reset the box. Still Nothing. I suck at guessing.

Anyone mind sharing a hint for what to do after decrypting. Cant seem to find the place mentioned for P**

@dualfade said:

@ko260 said:
Where are these creds that people seem to have found?

Exactly. I spent all day running gobuster / cewl and guessing. Reset the box. Still Nothing.

I found them in the end, this is a strange box imo. I now have the creds and have logged in one P**3 service but nothing in there :frowning: