Lightweight

Rooted, thanks to @cornholio for User, thanks for forum hints for root, it was way easier than I tought.
Feel free to PM for hints.

Got user, followed the trail so I could switch user twice, but now I’m kinda stuck. I assume I have to use the binary that’s not t**p to read the flag from root folder, right ?

If someone can pm me about my assumption, that would be awesome !

EDIT: got root, thanks to @clmtn for confirming me I was on proper tracks and @Nofix for the awesome ressource !

Anybody else get a root shell? Wondering if someone did it different than me

The webpage doesn’t even load for me, what insanely small detail am I missing here…

Ok, this is an odd request. I got the ldap*1/2 passwords, the root flag and the user flag, but I never figured out how to escalate from the initial shell. Would someone mind PMing me and walking me through the proper way I was supposed to do this? I know I didn’t do it the right way.

I need hint, stuck on getting root. I am logged in as ldap1. I read the man page for op****l twice. Can’t figure out away to use it to read files

Got both flags but no root reverse shell

Also, when people have rooted a box please can they remove any access they created (like an account with root privileges that I could just su to without a password. Although I didn’t use this to get the flags).

Anyone got tips/hints for initial enumeration? Done initial nmap etc, but not sure on where to go from here for this box :stuck_out_tongue:

Drop me a dm and i see what i can do to help

Got root + root shell

Fairly straight forward

Standard nmap enumeration

Initial foothold
Read whats in front of you clearly - specifically what runs on port 80 !

1st user : The box name is a dead giveaway as to whats going on. Leverage your attack internally, might take a while to get want you need - try multiple queries

2nd user : don’t over complicate things - a basic list is all you need

Root flag - look whats in front of you and see what its capable of. If its not behaving how you expect it might be worth specifying direct path (this got me stuck for a couple hours)

Root Shell - if it can read then it can also write

For the last 2 days I have done some queries and looking at the output believe got something. Do you need to decrypt or is it in plain text. Can’t get to user access.

@safexsal said:
For the last 2 days I have done some queries and looking at the output believe got something. Do you need to decrypt or is it in plain text. Can’t get to user access.

No decryption is required to get user access.

Can anyone throw me a hint, I think I’m at the last step, I have access to the two users, and I can see user 1 has two binaries in their home area that can be executed with enhanced privs over what their account has.

What I just can’t get is the last step of using the T or O binaries to get the flag. I think I need the O file but I’ve tried reading the flags file as in as an input command but get access denied.

I’m pretty sure that o****** should be used, but stuck on permission for reading.
I need a hint - this binary should be run from other script/program? or directly?

Finally rooted the box, all you need is in this thread. For popping a root shell, if you can read then you can write! Happy to provide hints for anyone stuck.

Hi!
Rooted, but actually didn’t get what is happening when the creds of ld****ser2 are exposed. What is causing this? which process? Does someone know?

Rooted this machine if anyone need help feel free to pm :slight_smile:

can not capure any thing with **dum. Can any one help me with the command ?

Anyone can pm me for initial user, im kinda stuck (have some data from t****p but do not know how to use it, or if it is a deep hole i dig for myself :frowning: Thanks!

Thanks to @samsepi0l and @Nofix for hints, it was not so easy as i thought and im glad to help anyone im PM.