Teacher

Very nice user challenge which is common in real life. Root was a pain in the a** for me… spend too much time asking myself obvious aspects of sy******.

Rooted! =)

A good box to learn some basic things in my opinion :+1: . Thanks @Gioo! <3

All the tips and hints in the firsts pages of this thread are more than enough to own this box, so I won’t tell anything more. If you need some hints because you get stuck, PM me, you are welcome :wink:

Also, thanks to all the mates who shared it’s time with me along my journey ( @Puru @EthicalHCOP )

See you around!
:slight_smile:

Finally rooted!!! It took me forever to get here, its been a lot more complicated than I anticipated.
Thanks @Puru for your kind help. :slight_smile:

I got root, but I think I did it in a less-than-ideal way. Anyone mind chatting about how you did it? For some clarity, the way I went about it, I had to reset the box right after so that I didn’t ruin it for anyone else…

@crisco said:
I got root, but I think I did it in a less-than-ideal way. Anyone mind chatting about how you did it? For some clarity, the way I went about it, I had to reset the box right after so that I didn’t ruin it for anyone else…

I think theres a lot of us who did exactly that and probably that is why there where soooooo many resets.
I think there has to be a more elegant -and non destructive- way because this is not good practice and of course not at all stealthy

I’m interested in creating a script for the initial foothold, be it bash shell or python.
The farthest I came is to create a q*** in m****e and from there on I been doing it manually -it was a terrible hassle every time-.
Anyone interested in talking about it just to learn?

I have a working scripted exploit for the initial shell access, if anyone is interested. I didn’t find a fully automated POC for this vulnerability anywhere (just a description of how to manually exploit it), so I’ve written this from scratch.

It’s able to trigger the vulnerability and clean up after itself. PM me if interested!

Any tips on the encoding used for RCE?

Did you try it without encoding?

@GordonFreeman said:
Did you try it without encoding?

I did, can’t get it to work. Tried p**g and used tcpdump. Still messing with it.

I started this 2 days ago, and got the initial login after about 7 hours of work. Pretty frustrated i missed it for so long after I found it.

I actually found the exploit for the initial shell before getting the creds too.

Problem is, now I’m struggling to get RCE because I suck at a certain language besides english, and I found out how to be evil, but trying to be a copycat, I found a robin type this-is-an-exploit-preventiob. lol

If anyone is willing to PM me and point me towards a good resource for getting better at the language I suck at I which is relevant for this system would really appreciate it.

Spoiler Removed

rooted this machine if anyone need help feel free to pm :slight_smile:

Hey just a tip from my side: When you get your reverse shell: please please please daemonize the process using nohup.
Otherwise the service is blocked for others and people might try resetting for no reason.

Enjoyed the priv esc to root on this box! Ty for the experience…

I got root flag, is there a way to get a shell as root ? please pm me, thanks

I got Root flag…Thanks to @peek @DaChef @M4TRIXH4CK3R for pointing me in the right direction and learnt few new things which makes this hunt worthwhile.Thx for the support.

Many thanks to @masterrabbit and @malte for helping me on this one! Everything has already been said here but major advice to get root flag is paying attention to all processes. There are tools out there to help show processes you may not readily be able to see. I’m happy to help if anyone needs a nudge.

I have followed the video and read the whole page getting as evil as I can, but nothing seams to cause even the simplest RCE. Anybody please give me a small shove in the right direction? Thx

Edit - Finally got RCE :slight_smile:
Edit - Trying to escalate from w******a to user, but cannot see anything in the usual privesc scripts.
Anybody available via PM to run an eye over what I have tried so far?

Root was awsome on this box.
Try to find what is happening on “that” folder, not just guessing :slight_smile: