FluJab

This box was a good mix of realism and CTF elements. While it was a bit silly, there are some good real-world lessons to be learned. The manual stuff to get a foothold on the environment was a big lesson for me. I often rely on tools to do this stuff, and the output of the exploit was a good lesson in paying extremely close attention to what is in front of you. I was on the right track but didn’t realize it until someone gave me a very helpful nudge.

I thought the following step to get user access was overly complicated, but I suppose this sort of vulnerability could still exist in some corporate environments.

Root was pretty straightforward, and is actually related to something I have come across in the real world. I am not sure if my method was the one everyone else used, but after tricking the system in to giving me the environment I wanted the root path was quite smooth.

I gave this one a thumbs up since I learned some new stuff.

Rooted!!!
I liked the initial approach, the manual enumeration was nice, I learned a few things. For root, well, if you look in the right place for the exact thing you need, the rest is straight forward!! as @gongol said above, There are many versions. get the right one.

Thanks @billbrasky & @IteXss
Glad you both got something out of it.
???

Rooted

All you need to get root is here. I can see that this box took some time to be created and thanks for that. But I didn’t like it as i was expected

My hints

User: the clowns are your friends ( annoying friends), They are telling you stop!. Next if you find the right place, keep an eye in single details. when you can talk with the nurse, pay attention in his head, the body of a nurse is not important XDDD. The last part to get user, just enumerate and verify old bugs related with the door. (Hope I’m not spoiling)

Root: don’t overthink, just put everything in order. Enumerate as usual and verify with the traditional way, what you can do? At this part I was tired, cuz this box was driving crazy.

Again, I think that to create this box, take some time, however the effect wasn’t expected for me. However thank you

Thanks @CHUCHO
Sorry to hear you didn’t learn anything you wanted to.
I appreciate you providing some feedback.
??

Can someone plese DM me how do i get that nurse to talk to me more ? I got her Ca****** notice but other than that im confused :scream:

Can somebody help me out? I was able to extract credentials, but where I thought they were needed apparently isn’t right. I feel like I’m running in circles now.

Yep, i got creds as well, stuck on same boat now as you k13rnan :slight_smile:

Grrrr … have s** key, whi***** myself on s**, have pass for k** but still cant login, WTF this box has so many steps that is ridiculous. Someone can give me a nudge in a right direction on DM please. Thx!

Finally Rooted!
A very long journey but hey…that was definitely one of the most challenging and funny box ever tried.

My 2 cents: enumerate carefully, look everywhere, then you find that there is something you must change. When you do it, the nurse will “guide” you through to your next step.
After that, you should have all your weapons to break into the final door.
For root, check each type of the bin you are targeting.

@3mrgnc3 thank you! Lot of fun and learnt a lot.
Just a quick question: I noticed there is an “easy” way to bypass a lot of steps for user and root, was that a shortcut intentionally left there? :slight_smile:

Thank you again,
cheers.
blink3r

@blink3r
It was unintended originally. But after looking at it, decided it’s cool to leave in and doesn’t really change the difficulty much.
Glad you had fun.
??

For other people getting frustrated. One other thing i will ask is this.
If YOU use an ssh private key irl. Do you use it to ssh back to yourself, or to ssh to other boxes?
I have only ever done the first one in a CTF…

I can get info from the Nurse, got creds and a hint of where to use them, but when I go to the place hinted I just get “direct access not allowed”. Do I have to focus on a way to bypass this “not allowed” message or do I have to keep searching with the Nurse?

direct access is not allowed but there is a lot of alternative accesses, use one of them.
I got info from the Nurse after all my ways, may be there are several infos from Nurse, I got only one series.

Nurse sent me very important data to go further, so force her to send you more info.

rooting is realistic case, spent three hours to search and practice new exploit.

I just managed to no longer see clowns, but now I’m a bit stumped how to move forward. I’m trying S**P for a while, without no response. This is tricky :warning:

Type your comment> @pzylence said:

I just managed to no longer see clowns, but now I’m a bit stumped how to move forward. I’m trying S**P for a while, without no response. This is tricky :warning:

Try S**P harder, It will be useful to get info from Nurse

Thank you to @tabacci for this nudge and @3mrgnc3 for the box. It made me remember something that made me try really harder in the initial days.
This is really close to a penetration test. If you think this is just a web application penetration test, you might be highly mistaken. This is NOT just a web application penetration test where you’d run some automated tool, or perform SQLi, and boom, you get in. This requires some work, some patience, some suffering (@3mrgnc3 knows what I’m speaking about :wink:)
Really enjoyed this box. I +1 it. PMs are not welcomed :blush:

Any hints on intitial footholds and getting around no direct IP access?

hahahahahahahahaha
…/?admin redirects to …/?u_wish

Any hint on direct ip access not allowed? http header does not work :frowning: even with ip 20.xx.xx.xx5