Lightweight

I’m pretty sure that o****** should be used, but stuck on permission for reading.
I need a hint - this binary should be run from other script/program? or directly?

Finally rooted the box, all you need is in this thread. For popping a root shell, if you can read then you can write! Happy to provide hints for anyone stuck.

Hi!
Rooted, but actually didn’t get what is happening when the creds of ld****ser2 are exposed. What is causing this? which process? Does someone know?

Rooted this machine if anyone need help feel free to pm :slight_smile:

can not capure any thing with **dum. Can any one help me with the command ?

Anyone can pm me for initial user, im kinda stuck (have some data from t****p but do not know how to use it, or if it is a deep hole i dig for myself :frowning: Thanks!

Thanks to @samsepi0l and @Nofix for hints, it was not so easy as i thought and im glad to help anyone im PM.

Any hint about what to do to trigger t*****p on a specific port? I tried navigating on the web, launching features of the web,…

MP me.

Some (hopefully) non spoiler-y comments for anyone stuck.

Initial foothold - Check the simplest thing you could possibly do on a fresh box.

User:

  • Take a moment and listen to the box, particularly when you look at something that loads slower than expected.
  • Do not over-complicate once you’ve heard something - the answer is in front you.
  • Do not attempt to SSH with your answer (refused to work for me at least), there’s a very common way to change user from your foothold.
  • I couldn’t directly move any files between the box and my machine. @waspy comment on page 6 definitely works.

Elevation:

  • As others have mentioned - something is more capable than it should be.
  • When running the above explicitly write every filepath; do not be lazy or it won’t work!
  • If you don’t know what filepath you’re after, check out the end of any of IppSec’s Youtube videos, you’ll find what you need.

I’m a scrub but happy to take on PMs if needed.

rooted :slight_smile: learned alot from this box

rooted. learned a lot, thanks, if u need help, tell me.

Can someone PM a hint for root flag? I got access to both users, got access to the zip but clueless on what to do now. Not getting much wiser reading about capabilities

I could use a nudge. Only got the initial ssh and a couple sha512 hashes. t*****p gives me nothing useful :confused:
edit1: got it, cheers @clmtn

Would anyone be able to provide a hint for User? Like @sanre initial query I am unsure on how to get the information I need using t*****p

EDIT: Reached l*******1, now to figure out root…
EDIT2: Rooted, Thanks for the advise folks!

finally got root but still got some questions on why something worked the way it worked

PM would be nice

Anyone able to help with escalating from the first user? I’ve ran the tp but am getting the same information that I got from the n script. I’ve tried using {***}* to login as well as the full hashes, but no luck.

EDIT: Nevermind, make sure you listen in the right places! :confounded:
EDIT 2: Rooted… paths are important!

Finally rooted this box and learned about capabilities :slight_smile:
Special thanks to @sanre for taking the time to explain about linux capabilities.

I’m stuck on the last step for privesc.

I think I know what binary to use from the last user to get access to the flag, but I’ve been staring at man pages and playing with the program for the past hour or two and can’t get anything other than ‘permission denied’ errors for the file I want access to.

can anyone explain to me why jxplorer is so ludicrously slow, while shelldap is lightning quick? I feel like part of it is that jxplorer is a gui, but that just can’t make that big of a difference.

Can anyone help? I’ve been stuck on this for days now, trying to get user. I have run tp while querying a million different things, have found the hashes, but nothing more than the output of the actual query. I’ve read the entire RFC and the documentation of all l and s* commands. Any nudge would be appreciated, this is driving me mad.