Curling

I got it! I finally got it \o/

Advice for root:
Try doing what you’re attempting to do locally - if you have a gnu/linux distro available to you.

nvm

got it thanks

Got non-interactive shell… cant seem to get it TTY… anyone PM for some guidance?

Type your comment> @chojin said:

Got non-interactive shell… cant seem to get it TTY… anyone PM for some guidance?

we can use python but there is no python install but python3 seems to be

Stuck on root, found the files that are involved, but just isn’t clicking for me. Any advice would be greatly appreciated

I am stuck on priv esc. I am running a script to see what is changing the it and rt files. I can see a periodic cat command is overwriting one of the files from a location my user fs does not have access to. I don’t see what is actually updating the rt file though. After a little research, I understand which binary might use the contents of it for its execution and in fact it is that c* binary that is outputting the result to the r****t file. But this is when I’m hitting a wall. What next? Will really appreciate a nudge here.

UPDATE: Got the root flag. Had to time my update to the i****t file.

Update to my post ^: Got root.txt. Just had to time my update to the i***t file.

Type your comment> @R0B07 said:

Type your comment> @chojin said:

Got non-interactive shell… cant seem to get it TTY… anyone PM for some guidance?

we can use python but there is no python install but python3 seems to be

Im feeling like a fr34king nub haha… (actually I am :P).
Did notice python3, but I couldn’t execute it… perhaps I was just doing it wrong.

Thanks for this m8.

Thanks to all of the useful comments in here, I snagged the root flag last night. Not sure how I might escalate that to a shell though, if anyone would mind explaining or pointing me in the right direction for that, I’d appreciate it.

Other than that, my advice for those trying to get the root flag:

  • If you haven’t yet, you should learn more about curling. It might come in handy.

hey fellas

trying to get the reverse shell via php…can’t figure it out. Anyone lend a hand? Just a gentle nudge in the right direction…I tried to edit the i***x.php with my code but nadda…apols if this is spoliery…

Hank

#Removed, probably already have it… #TryHarder :slight_smile:

Finally after 3 days… got root!
Not sure if I did it the right way… but found the root.txt file.

Didn’t got the root password though (john still busy on it… not sure if it will succeed).

Learned a lot again from this one and was really fun. Good box!
Anyone needs some hints, feel free to PM me.

ok reverse shell done…only a low priv user…need to work on priv esc. I can see the p******_B***** file…can I download it as www-data?

wow… please how do i go about privesc… i’ve see the two file in the a******e folder

Seems this VM needs a reboot, every page including the default one throws the WARNING: Failed to d… error page…

Reset done, back to normal behaviour.

Loved the machine!
Don’t neglect what might look like a rabbit hole for root.
Anyone who managed to get a root shell, please pm me, I’m curious to know how it’s done.

I could use some help getting root on this one… I see the files in a****-a*** and I know I need to use c*** but my brain isn’t putting it all together to make it useful. i’ve read the man pages and tried running a few flags on it but I’m not getting anywhere. Any help is much appreciated.

guys, before I start going down a tedious rabbit hole, can I confirm…that p******_B****** file…I’ve got the hexdump of it…am I meant to reverse it?

Type your comment> @Delitor said:

I am a little stuck, I have a PHP reverse shell and I am on as www-data. I can’t figure out how to escalate and when I try to grab files I get

edit, I was able to get the p******_*****p done and now I have user access and gotten the user.txt file and now i am trying to get root access and flag. i have seen where people say its obvious but i cannot see it and I am looking for a little nudge.

did you have to reverse the hexdump of that file…or am I missing a way of copying it down as www-data?

Finally got user and root flags. I have a question though regarding the p******.******p file. I managed to get what I needed but I had to run multiple successive commands, where i think only 2 were enough. Is there someone that can PM me, and I can detail my question (can’t do it here, spoilers :slight_smile: )