Carrier

So, I’m gonna leave my own two cents here:
First of all this is really a nice box, user is rather easy and only requires some enumeration in the right places. Don’t focus only on HTTP for information.
Root is a bit harder if you aren’t familiar with the concepts & services/protocols behind it, but in the end it’s quite logical and pretty simple once you’ve read up on the topic and tried around a bit. (Also thanks @jkr for his help with root here)

If you need some help with this box (user or root), feel free to PM me for hints and also explanations, so you don’t end up with the flag but don’t really understand how everything worked in the end.

Also thanks to @snowscan for providing us a possibility to get to know this kind of attack and actually execute it ourselves once, too.

Finally got root. If you are not one of the networking guys it could be a suffer… In this forum there are a lot of good hints, if you put it together, you can get root. Try not to over-complicate things, you only need to change one simple thing in one of the configuration files. On a free server it could be really tough and time consuming to achieve your goals because of the constant resets and edits.

Thanks @snowscan this machine reminds me to one of the hardest machines at OSCP course… It taught me new things and I need to learn basic network stuffs…

The user was really easy. That said I am enjoying the root part a lot.

I am fairly sure I am nearing the end but my t****mp is not doing anything on any interface. Any hints towards that?

And yes the free box resets a lot, it is quite annoying, but can live with it. :slight_smile:

Possibly I need to change some rules in ip*****?

Rooted!

This is by far my favorite box. Very complete in all aspects. Thanks to @snowscan for creating such an amazing and enjoyable box. <3

Also thanks @GDX and @aquira for your support!

If anybody get stuck, feel free to PM me, you are welcome.
=)

Rooted! What a rush. This was awesome. I learned sooo much. Took me a few days and some help (thanks @d4rkk and @GDX ).

Such an awesome box @snowcan ! Wooo!

I really enjoyed this box after tearing my hair out for an hour trying to figure out why traffic wasn’t flowing the way it should.

In order to get root remember traffic needs to flow both ways…

I consider myself pretty good on networking but I’m still learning and this box helped. It was also refreshing to see that a pivot was needed too. All in all great job @snowscan

If anyone is stuck on the networky stuff, feel free to PM me and I’ll share some tutorials that helped.

Can anyone help PM me with the RCE part.
Understand the encoding and what field to attempt it on, however, cannot get the reverse shell to connect.

Hello Guys… I’m new here … can you help me please…

First i enumerate the box i found the udp port…enumerated … i found the psswd using sn***lk but i don’t know the username can you help me please :slight_smile: thanks in advance …

@tacosaurus said:
I am stuck with user. I am playing with the check value but I find nothing interesting. I need a hint please

I’ve been stuck at the same point for more than a day. Can’t seam to get syntax correct or something because I can’t get *nix commands to return anything. Please help.

@redcypress @DeHackzU PM me! I can help you with rce. :slight_smile:

I figured out the proper syntax and another underlying problem.

stuck trying to find root. have already gained shell access to the 1st box and got user.txt. from all the posts here, i understand that I need to change the route or smth… but am stuck at which route to change…
Any kind soul here willing to point me in the right direction? :slight_smile:

Can anyone PM me with some help with the inital foothold?
I know I need to manipulate the c**k parameter after logging in to the admin portal. I have tried many manual techniques and commix but to no good. I have also made sure it’s the injection is properly encoded. Thanks in advance :slight_smile:

@R1pid said:
Can anyone PM me with some help with the inital foothold?
I know I need to manipulate the c**k parameter after logging in to the admin portal. I have tried many manual techniques and commix but to no good. I have also made sure it’s the injection is properly encoded. Thanks in advance :slight_smile:

This is a very obvious reply, but if you know where to go and what you need to do my advice is to stick with that and carefully craft your requests. Start with simple things and build your way up. Check your output, where things break and how you can string things together.

Hey everyone,

I finally got root, but just curious about why there is an additional “secretdata.txt” file. Has anyone checked what is that about?

PP

@pp123 said:
Hey everyone,

I finally got root, but just curious about why there is an additional “secretdata.txt” file. Has anyone checked what is that about?

PP

It does contain an easter egg. I don’t want to spoil it. Think about what kind of data you are looking at.

PS: If someone has a question, feel free to PM me if you are stuck.

Just got root and wow, this was my favorite box. It was more realistic than some other ones. :+1:

Can someone PM with some help. I feel like I was on the right track but I cannot find the serieal number I have enumerated a couple ports that I have found with built in nmap scans and haven’t been able to find anything worth while either.

Anyone up to help me out with priv esc.
Done till ftp part didn’t pop any info from that :frowning:

Thanks for the box @snowscan, it really got me out of my comfort zone!