Curling

I’m banging my head against the wall here.
I’ve logged into the admin panel but all my attempts to upload a reverse shell failed as zoomla always sanitises everything even if I change the plugin options etc, wondering if anyone could push me in the right direction

I have got the s*****.t** is ssh into Fl**** possible ?

@JCisme said:
I have got the s*****.t** is ssh into Fl**** possible ?

Try and you’ll find out. If using the file you found to ssh doesn’t work, try to use it in another way

OK, onto root now. thanks guys for the tips!

stop defacing the index !!! wtf

@nonamesfor said:
stop defacing the index !!! wtf

but that’s half the fun! :tongue:

Finally rooted that one. Root.txt was quite simple, but root shell was a bit more elaborate because I didn’t know such methods. Learned quite a few things. Thanks @L4mpje for this box, was quite fun ! :slight_smile:
If anyone needs a few hints, send a PM !

Got User and Root.txt. Can anyone PM me hints for root shell ? If you’re gonna PM me for hints, please include what you tried and didn’t work and we can go from there. Literally had one person PM me saying can I know what the solution is and I’ll learn from the solution. SMH

UPDATE:

Thanks @devilswolf @jkr @L4mpje and everyone on this thread for your help! It’s only easy once you know how :smiley:

Allright, I have to ask. Either someone is trolling me (I see you in there =P) or I am overlooking something right in front of me. So far, I’ve gotten this:

  • I have the user.txt and low-priv user shell both through reverse shell and through ssh, so I can run commands as two users.
  • I can see the files in the a****-**** and see the events and the output.
  • I can use those events to make other things happen by editing things, but that may screw things up for other people here, so I have not used this avenue.

What am I missing here? I can not for the life of me find the source of the changes reflected in the a****-****.

Any hints or nudges in PM would be welcome.

@sec4rc You are on the right track. If you are concerned with screwing anything up, just be sure to quickly change things back once you are done.

I am really enjoying this box, so far managed to get low level shell in 15-20 mins, the user escalation was pretty simple for me, I have just completed the “overthewire” bandit tutorials, and the file type jogged my memory straight away, so I had user shell within 30 mins. I also have also worked out why the box is called ‘curling’, now just to exploit this, having an issue with other users over writing my data before my plan works. I’ll attempt root again and at quieter period.

Edit: It wasn’t others users, it was clearly a cron. I have root, be quick :+1:

@MakoWish said:
@sec4rc You are on the right track. If you are concerned with screwing anything up, just be sure to quickly change things back once you are done.

Thanks friend. It helped to take a step back. I used the i**** to spawn a reverse shell yesterday, but since that didn’t return with the credentials I (wrongly) expected (at 4 am in the morning) I drew the wrong conclusions and started trying to get at the file which informed the i****-file. That was, in retrospect, stupid. =)

Did what I needed with what I had in front of me, and that took me to the root.txt and through a weird detour to root shell.

If anyone need hints, I’ll gladly help if I can. Fun box. Creds to the creator!

■■■■ IT.
STOP MESSING WITH THE INDEX PAGE.
Have you considered trying to put your testing efforts on a separate page instead of screwing up the machine and reset it every 2 min?

need a tip or a push in the right direction with getting or seeing user. I can see the .txt location just don’t know how to view. the commands I’ve used doesn’t work. i may also be overthinking it.

Right so I’m in the special an-a*s area, managed to get the user while on break at work, but maybe it’s my tired friday night brain, I cannot figure out what to put in THAT file to get it to output what I’d like. Anybody able to give me a hint? Thanks.

@Epictetus said:
Right so I’m in the special an-a*s area, managed to get the user while on break at work, but maybe it’s my tired friday night brain, I cannot figure out what to put in THAT file to get it to output what I’d like. Anybody able to give me a hint? Thanks.

If you can deduce what application is at work and the relationship between the files and what is going on around you, you should research that application’s syntax and take it from there. You know what you want and where to find it. So go get it and output it where you are allowed to.

So I got root.txt, took forever on the VIP server. Switched to free and the same method worked instantly. Go figure.

Thanks so much to @sec4rc and @jkr for the help. I guess I would have eventually gone insane if I hadn’t tried the free server.

well, i was able to see user.txt last night but after the resets im back at square 1. i think i was able to see it due to someone who already had an exploit running on the machine. the machine is getting restarted every few mins so not able to do anything to figure this out. first time trying to do this.

The hint is there in the box’s name. For the life of me, I couldn’t understand the sport though.

I got user and now I’m probably overthinking priv esc… Can somebody DM me with some hints?