Lightweight

Finally rooted, thx to @avetamine and @IteXss for heads up.
Also getting root shell is a nice challenge.
Still missing some understanding about how this o****** is capable to do it. Would be nice if someone could PM me to discuss if my assumption is correct.

They deleted my post because probably was considered a spoiler, anyone having questions can PM me

@Uvemode said:
Got root and all, but I’m curious, how exactly?
‘It’ was blank, therefore shouldn’t be able to do anything special. I checked and blank means nothing, even with those ending flags. except that previous ‘it’ were removed. Surely I missed something.
@avetamine
There is a c function that translates a textual representation of what you can do into a binary one. In the man page there is also a section about what it means when ‘it’ is blank.

@Skunkfoot said:
@Baikuya said:

@Skunkfoot
It helps if you’ve completed Frolic.

 Dont you mean Waldo?

No, I meant Frolic, but completing Waldo will help too for a different part, so that’s a good point.

 @librab103 said:

       @Skunkfoot said:
 This one was quite confusing for me, couldn't have done it without the hints that I got. The flow just didn't really seem to make sense to me. I'm gonna go back tomorrow and redo it starting from the beginning to see if it makes more sense now.

      A couple issues I ran into:

      
 * You may need to visit a couple of the webpages a couple times in your local browser to generate that which you seek for access to a certain user.


 * If you're having trouble cracking anything, try reinstalling your tool or looking for alternatives.


 * Always start with a small wordlist, don't jump straight to rockyou if you can avoid it. Sometimes the string you're looking for is simple.


 * For root specifically (at least the flag, I haven't gotten the shell yet, one of my goals for tomorrow), when you're looking at what you're able to do, one of these things is not like the other. What can you do with that thing? It helps if you've completed Frolic.


 




  Are you using Burp or your browser's inspect option to view the data going between host and remote?

No, or I don’t understand the question. You don’t need to inspect any captured data between you and the remote host, if that’s what you’re asking.

@Skunkfoot
I dont see why completing Frolic helps in this Box ?. May PM me i dont get it

edit

I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.

The most difficult part, or at least the part that took me more time was going from user2 to user1 and that’s because I’m a bit lazy.

Good box, I enjoyed it a lot. Thanks to the creator and thanks everybody for the help-

Sooo…i found two creds whilst logged in with the “easy” access account, both turned out to be $6$salt$hash. Been trying to bruteforce for a whole day using assorted wordlists etc. with no luck. Am I missing something?

any hints for root privesc???
cracking ba****.***

@mrflibbleoz said:
Been trying to bruteforce for a whole day using assorted wordlists etc. with no luck. Am I missing something?

Brutforcing is a rabbit hole, though accounts are usefull. You should think about a different approach to get the passwords.

@prokaryont said:

@Uvemode said:
Got root and all, but I’m curious, how exactly?
‘It’ was blank, therefore shouldn’t be able to do anything special. I checked and blank means nothing, even with those ending flags. except that previous ‘it’ were removed. Surely I missed something.
@avetamine
There is a c function that translates a textual representation of what you can do into a binary one. In the man page there is also a section about what it means when ‘it’ is blank.

You are right, it was at the man page. Just didn’t check for the right keywords.
Thanks.

Yes thanks for the insight @prokaryont

@mitoOo said:
any hints for root privesc???
cracking ba****.***

Once you crack that file and read the contents carefully, it should be straightforward. PM me if you need help

@epsequiel said:
I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.

So, as a tip, maybe you shouldn’t read through the forums if you dont want the hints.

@TazWake said:

@epsequiel said:
I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.

So, as a tip, maybe you shouldn’t read through the forums if you dont want the hints.

Of course, but in my case I was looking for hints on getting user1.

Any hints for the o****** part? Struggling to figure out a solution.

@rufy said:
Any hints for the o****** part? Struggling to figure out a solution.

NVM. Got it. Fun box with lots of new things to learn!

@Skunkfoot said:

@Baikuya said:

@Skunkfoot
It helps if you’ve completed Frolic.

Dont you mean Waldo?

No, I meant Frolic, but completing Waldo will help too for a different part, so that’s a good point.

So apparently you may have used the tool I was referring to on Frolic, or you may have done it a completely different way. Sorry if that led to any confusion for people. I try to give subtle, logical hints that don’t reveal any direct spoilers, but admittedly, I’m not the best at it.

Anybody got root shell? I got root.txt but can’t get a shell. I’ll appreciate any hints.

@epsequiel said:
Anybody got root shell? I got root.txt but can’t get a shell. I’ll appreciate any hints.

It’s not that hard to get a root shell, if you can read root files maybe you can even write them :wink:

Ahh what fun that was :slight_smile: