Redcross

12467

Comments

  • I'm very stuck for days in the ad**n panel (I already got the way to "log as" that user), try a lot of things, each of them more esoteric than the others... But I don't realize how to advance to next step...

    Is someone able to give me a nudge? Thanks in advance !

  • Done. rooted first. lots of hoping around and some goofy ass shit. Special thanks too @rotarydrone . My advise would be the same as I have seen prior. figure out how this thing works.

  • rooted. took a break from the direct root route and went for user first. this is a great example of some of the lessons you learn from oscp. don't just attack the first thing you see, and know when to move on to something else. yeah, it might be a longer route, but it might also be easier.

  • Could anyone nudge me as to how to find the second login page i have the first one and i have done enumeration but not able to find the second one.

  • That was fun...once I had finally gotten RCE things went quite rapidly, one breadcrumb at a time. I've taken the non-BOF route now, but I'm keen to give that a try too.

    If anyone needs a nudge in the right direction, feel free to PM me.

  • went the non-BOF route as well, and just got root. That was a good challenge!

  • edited December 2018

    Rooted, a very well made box, felt very realistic throughout the whole way.
    My review for this box is that althought not being techically difficult it required some critical thinking in order to get it done, it wasn't hard when you realize what you have to do. I spend many hours doing stupid things and the answer was in front of me all this time but finally i got there with a little bit of help, thanks @dualfade.

    I read there are multiple ways to get root (apart from the binary) but i managed to do only one, i'm interested to know how others did it although having an idea i would like to discuss it further.

    These are the kind of boxes we need it had a nice touch of realism and critical thinking ;)
    Now i understand the creators need to spend some time creating machines like these but i would rather spend my time solving something that i would face in a pentest scenario rather than decoding some god forsaken esolang (is that what they're called?) "Frolic" im looking at you, i was cringy throughout the first part.

  • edited December 2018

    Someone can give me a hint on priv escalation? I've got a reverse shell with user pe****pe, but I can't find a proper way to escalate to root. I've only found a certain binary but I don't want to play with Bof and ASLR.

  • @veterano said:
    Someone can give me a hint on priv escalation? I'm got a reverse shell with user pe****pe, but I can't find a proper way to escalate to root. I've only found a certain binary but I don't want to play Bof and ASLR.

    Now that you have access, do some enumeration. Look around at things.
    Thats Cool you got that user.. I never ended up getting access to that user in particular. Must be multiple routes to make this work lol.

  • I did the enumeration, but I'm running out of ideas. Is the /usr/bin/python2.7 /root/bin/red*****.py usefull for anything?

  • I'm currently pretty stuck in the limited shell and have only one way to go: the .c file but I am unsure how to proceed, anyone willing to help me out here?

    center

  • Rooted without touching the binary :)

  • Rooted here too. This was a hard one, maybe because there are so many paths that you better look for more options before you keep struggling against the same wall for hours. I think that is the key to this box. You need to understand ALL about how this server works. I learned a lot :)


    image
                         HTB Profile


  • @0xd1360b said:
    Rooted here too. This was a hard one, maybe because there are so many paths that you better look for more options before you keep struggling against the same wall for hours. I think that is the key to this box. You need to understand ALL about how this server works. I learned a lot :)

    Same here. Just rooted it without the "intended" method. There was a lot to absorb with this machine and a lot of little things to watch for. I can't say I had fun with this one, but I learned a few things.

    billbrasky

  • Rooted. This Box was really awesome. Many different ways to get in and to root :).
    If anyone needs help feel free to PM me.

    Baikuya
    OSCP

  • I'm completely stuck on the admin panel for now. Could anyone give me a nudge ?

  • Again THX for this box. Was awesome but I didn't like it too much

    My Hints

    this machine is 2 by 1, to the first part don't discard the params in POST requests (this will give you RCE)

    to get root you need verify app and credentials, enumerate (as usual). When you find the other users, just create yours and give it to him status. Then verify the process executing on the machine and read the forum XD

  • rooted this amazing box. Did a different way but interested to know how people did it ret2libc way. Feel free to pm me

  • edited December 2018

    I have four users, according to the tracks the indicated one is p******e, is it necessary to use brute force to find the password? or try decrypt hash, or just guess it according to the information of the site, if so, some hint

  • Hey all - ive found the "credentials" and have logged in. Found that the feature is vulnerable to S**i but cant seem to find the right syntax, what usually works for me isnt working. Anybody willing to help me out please PM me :)

  • Tedious, this one! I got backend access, the four accounts and hashes, but I can't get in to a* other than with the account that gets booted. Still trying things, but process is slow. Blowfish is a bastard to crack. Some tips mention you can guess p******e creds, but if that's that case my guessing has been sucking for a day or so. Automated some defaults and some of the data from the backend, no joy yet. Trying to find a way to add data, but I think I need access to a* first.

  • @ashr said:
    Tedious, this one! I got backend access, the four accounts and hashes, but I can't get in to a* other than with the account that gets booted. Still trying things, but process is slow. Blowfish is a bastard to crack. Some tips mention you can guess p******e creds, but if that's that case my guessing has been sucking for a day or so. Automated some defaults and some of the data from the backend, no joy yet. Trying to find a way to add data, but I think I need access to a* first.

    After two days I managed to move on, I have a shell with www, I'm seeing if I can root from this user ...

    Regarding the hashes there are several ways to move forward, try to break the hash of ch*r***, it will not take you more than 5 minutes using John or hashcat, when you break the password you will see that it is an important clue, do not forget to check everything I'm not talking about just using gobuster, in this thread several people talk about having found more than one login, the answer to this is in the messages in the database

  • I've moved on with a push to a vuln i didn't think would be useful, thanks @samsepi0l.

  • Good hint :)

    @CHUCHO said:
    Again THX for this box. Was awesome but I didn't like it too much

    My Hints

    this machine is 2 by 1, to the first part don't discard the params in POST requests (this will give you RCE)

    to get root you need verify app and credentials, enumerate (as usual). When you find the other users, just create yours and give it to him status. Then verify the process executing on the machine and read the forum XD

    Initial Foothold
    It was difficult to obtain the user, as many say in this thread you have to look for all the logins, after this go for the credentials, (there are also key clues in this thread for the enumeration) there are several ways to do it, at least I have seen two vulnerabilities to achieve it, for those who achieved the S** In******n, at least one of the hashes can be created, it will not take much time and the password is an important clue to realize another vulnerability that you could have used before xD, once in the next step is the RCE, it took me a long time when the attack vector I have done on another machine. Look at the POST parameters and play with them.

    User & Root
    In this part I went directly to root, it was easier than the user, although many talk about BOF I took advantage of the problems of the web application, if you put the correct number you can enjoy the grace period on the machine with your user :D

  • 9a7d3e2c3ffb452b2e40784f77723938/573ba8e9bfd0abd3d69d8395db582a9e

    Was anyone able to access the above ? I'm stuck again in the restricted shell this time, can't see my way forward without bof. I've tried add/remove funkiness on the admin side, but can't seem to get anything to run there or to change the behaviour of the mechanisms involved. Does this involve guessing action names and parameters ?

    So frustrated now, i'm starting with overflow, but would still like a tip for the other way(s), either way answering the above two question will help me, thanks.

  • very nice box, lots to learn. Thanks to @kekra for pushing me in the right direction.
    Great job @ompamo!
    still trying to find other ways to root without BOF as discussed here.
    Feel free to PM for hints!

  • edited December 2018

    @ashr said:
    9a7d3e2c3ffb452b2e40784f77723938/573ba8e9bfd0abd3d69d8395db582a9e

    Was anyone able to access the above ? I'm stuck again in the restricted shell this time, can't see my way forward without bof. I've tried add/remove funkiness on the admin side, but can't seem to get anything to run there or to change the behaviour of the mechanisms involved. Does this involve guessing action names and parameters ?

    So frustrated now, i'm starting with overflow, but would still like a tip for the other way(s), either way answering the above two question will help me, thanks.

    Go back to the shell you were in when you found the 9a7*/573* thing. Have a closer look at all of the files and you'll certainly find some other useful bits of information. Armed with the info in these files, you can manually do the same but with evil intent. No guessing needed and privesc didn't require bof.

    OzzY

  • rooted the box from hard way (www-data->root), if someone want use this way just poke me for help!

    Arrexel

  • @paw said:
    rooted the box from hard way (www-data->root), if someone want use this way just poke me for help!

    Is there another way? :joy:

  • @jkr said:

    @paw said:
    rooted the box from hard way (www-data->root), if someone want use this way just poke me for help!

    Is there another way? :joy:

    from what i read in here its seems like this... lol

    Arrexel

Sign In to comment.