Dab

any help with priv esc appreciated

Nice box! I learned a lot about a couple of different technologies with this one. Apart from the trolls I think this was actually fairly straight forward, just a matter of understanding the technologies involved, reading the man pages and figuring out which documented and undocumented commands or arguments will help you. Happy to help through DM if you are stuck.

Phew, got root. Awesome box @snowscan, I always enjoy a box with a bunch of steps. Plus I always enjoy learning about stuff I’ve never come across before.

initial foothold…?

Have been running hydra against some list for days now. Not getting creds for p:80 and can’t Firefox does not allow me to set cookies for p:8080. Can someone please PM me with help on better word lists to fuzz with? Many thanks in advance.

Got root, learned a lot trying different things. Also very challenging, couldn’t get burp intruder to work correctly, but found another way :slight_smile:

Hi there,

I am struggling to get past initial foothold.
Already downloaded file and extracted results, but no idea on what to do.
On web, i really don’t know what can i do. SQLi? Bruteforce? What are cookies?

Could someone PM me with directions?

Cheers

Amazing box, thanks @snowscan I learnt a lot from this one. Could anyone who got root by altering something DM me to clarify how exactly it works? I get whats happening but am confused by some details…

I found several articles that explained parts of the process and was able to exploit it using these as a guide; however some of the things mentioned don’t appear to make a difference to the execution. I’m redoing it now and trying to find the simplest working exploit to weed out the unnecessary bits.

Cheers in advance.

Most challenging box for me
But finally completed it
If anyone need help feel free to pm.

@zz123 said:
Most challenging box for me
But finally completed it
If anyone need help feel free to pm.

I pm’d you

Such a great learning experience! I didn’t like the user part (at first), but then I had no problem finishing it. Privesc was also very interesting and original, and something I learned a lot from!

Got it. Parts of user were too contrived/CTF-like, but root was pretty interesting and certainly a useful technique.

Am i supposed to brute force directories or am i missing something? The other website shows a cookie not set error. Any hints to get past this?

@hansraj47 said:
Am i supposed to brute force directories or am i missing something? The other website shows a cookie not set error. Any hints to get past this?

Nope, no need to brute force directories. The error is showing because you need to find the right value for one of the parameters there.

cant understand a thing guys, i have tried intercepting the request and playing around this some http headers to get a cookie, but nothing. Been at it for a while now and would like some help with this now.

Any hints on initial foothold? d**.jpg seems to be a rabbit hole. 8*** seems to require a cookie?

I have the credentials to the site and can login using a slightly different username, captured the thing and decoded it partially, still cant understand how to get past the cookie not set error.

Just added the encoded string to a cookie but still gives the same cookie not set error.

Managed to get the cookie part. And am now struggling to get my socks on right… Any hints on where to go from here? Still havn’t got credentials yet for the main page

I have found that the “socks” part is very sensitive to the application you’re using. I spent an age using a well known program, only to discover that I was doing everything right, but the app was not producing the result i wanted.