Lightweight

The webpage doesn’t even load for me, what insanely small detail am I missing here…

Ok, this is an odd request. I got the ldap*1/2 passwords, the root flag and the user flag, but I never figured out how to escalate from the initial shell. Would someone mind PMing me and walking me through the proper way I was supposed to do this? I know I didn’t do it the right way.

I need hint, stuck on getting root. I am logged in as ldap1. I read the man page for op****l twice. Can’t figure out away to use it to read files

Got both flags but no root reverse shell

Also, when people have rooted a box please can they remove any access they created (like an account with root privileges that I could just su to without a password. Although I didn’t use this to get the flags).

Anyone got tips/hints for initial enumeration? Done initial nmap etc, but not sure on where to go from here for this box :stuck_out_tongue:

Drop me a dm and i see what i can do to help

Got root + root shell

Fairly straight forward

Standard nmap enumeration

Initial foothold
Read whats in front of you clearly - specifically what runs on port 80 !

1st user : The box name is a dead giveaway as to whats going on. Leverage your attack internally, might take a while to get want you need - try multiple queries

2nd user : don’t over complicate things - a basic list is all you need

Root flag - look whats in front of you and see what its capable of. If its not behaving how you expect it might be worth specifying direct path (this got me stuck for a couple hours)

Root Shell - if it can read then it can also write

For the last 2 days I have done some queries and looking at the output believe got something. Do you need to decrypt or is it in plain text. Can’t get to user access.

@safexsal said:
For the last 2 days I have done some queries and looking at the output believe got something. Do you need to decrypt or is it in plain text. Can’t get to user access.

No decryption is required to get user access.

Can anyone throw me a hint, I think I’m at the last step, I have access to the two users, and I can see user 1 has two binaries in their home area that can be executed with enhanced privs over what their account has.

What I just can’t get is the last step of using the T or O binaries to get the flag. I think I need the O file but I’ve tried reading the flags file as in as an input command but get access denied.

I’m pretty sure that o****** should be used, but stuck on permission for reading.
I need a hint - this binary should be run from other script/program? or directly?

Finally rooted the box, all you need is in this thread. For popping a root shell, if you can read then you can write! Happy to provide hints for anyone stuck.

Hi!
Rooted, but actually didn’t get what is happening when the creds of ld****ser2 are exposed. What is causing this? which process? Does someone know?

Rooted this machine if anyone need help feel free to pm :slight_smile:

can not capure any thing with **dum. Can any one help me with the command ?

Anyone can pm me for initial user, im kinda stuck (have some data from t****p but do not know how to use it, or if it is a deep hole i dig for myself :frowning: Thanks!

Thanks to @samsepi0l and @Nofix for hints, it was not so easy as i thought and im glad to help anyone im PM.

Any hint about what to do to trigger t*****p on a specific port? I tried navigating on the web, launching features of the web,…

MP me.

Some (hopefully) non spoiler-y comments for anyone stuck.

Initial foothold - Check the simplest thing you could possibly do on a fresh box.

User:

  • Take a moment and listen to the box, particularly when you look at something that loads slower than expected.
  • Do not over-complicate once you’ve heard something - the answer is in front you.
  • Do not attempt to SSH with your answer (refused to work for me at least), there’s a very common way to change user from your foothold.
  • I couldn’t directly move any files between the box and my machine. @waspy comment on page 6 definitely works.

Elevation:

  • As others have mentioned - something is more capable than it should be.
  • When running the above explicitly write every filepath; do not be lazy or it won’t work!
  • If you don’t know what filepath you’re after, check out the end of any of IppSec’s Youtube videos, you’ll find what you need.

I’m a scrub but happy to take on PMs if needed.

rooted :slight_smile: learned alot from this box