At last, rooted, privesc is by far more intuitive and realistic.
User is fine-ish, but some parts are just a bit too CTF for me, there’s some quesswork involved, but is managable. Most imporatantly don’t give up and don’t go too deep if you’re not sure that your approach is not a rabit hole, you’ll spare yourself some time.
If anyone needs help getting user/root feel free to PM me, happy to help.
Usered without any hints from here. Easy.
Do not confirm that you cannot get root from www-data,
“Look Around” technique helped to get root from www-data.
This machine is difficult because it leads to rabbit holes, the clues they give in some parts really did not help much, in fact those comments are traps for your brain! Hahaha
User
To start many users have said: Enumerate port 53, it helped me to see a video of a machine that makes the enumeration in the same port (In some parts of the thread they mention the tool)… Once you have it and you are on the Haha page it is not necessary to guess the things, look at the other “service”, list it, the creator put a comment that leads to the RCE and I did not see it, it was thanks to @dispareo that helped me.
Root
In the privesc I lost too much time doing stupid things … I got it thanks to this track, it’s too good:
@humurabbi said:
Rooted Successfully.
Hint for user: The only reason this machine is difficult is due to large number of rabbit holes. So the first you need to identify and dodge them. Look for the comments to identify them
For root: pspy can be helpful
Finally thanks to all the users for providing valuable hints in the forum. Without you, it would not be possible
When you find the magic file do not think about it much, you have to read the book and scratch it carefully!
Quite stuck on the box, I got the source code of (I guess?) the whole 3 websites, but can’t find any RCE. Feel like I miss something, doing my whole enumeration again but nothing is showing up at the moment.
EDIT : rooted.
Thanks a lot to @clmtn for helping me on user part, I was missing the “guessing” part to get RCE.
Took me 5mn to go from www-data to root. I confirm it is possible to do so without user.
Did not like quite much the box as it’s too CTF-like. (guessing part drove me mad)
Still I upvoted it, because I learnt a lot about port 53 ! Thanks to the creator.
Quite stuck on the box, I got the source code of (I guess?) the whole 3 websites, but can’t find any RCE. Feel like I miss something, doing my whole enumeration again but nothing is showing up at the moment.
EDIT : rooted.
Thanks a lot to @clmtn for helping me on user part, I was missing the “guessing” part to get RCE.
Took me 5mn to go from www-data to root. I confirm it is possible to do so without user.
Did not like quite much the box as it’s too CTF-like. (guessing part drove me mad)
Still I upvoted it, because I learnt a lot about port 53 ! Thanks to the creator.
Nice one. Just to clarify, you can fuzz the path you need to hit for RCE.
I found getting user fairly tricky, lots of misdirection and rabbit holes. Hint for getting user:
If you’ve made it to haha, look at the two parameters, and think about what function in PHP includes information from other pages, and how you can feed it information.
Working on root, I feel like I have the right file and am looking at the right ideas, but I just cant figure out how to leverage it. Going crazy feeling so close to finishing!
Can’t seem to find the haha page that has been mentioned here previously, any hints?
OKay so I’ve found the haha image, is their anything worth bruteforcing hidden in the image?
EDIT:
Rooted. Rabbit holes for user was really annoying, spent the most time on user by far, ended up I was looking at the wrong thing for LFI. Once I got www-data, user takes seconds and root shouldn’t take too long either. Thanks to those that hinted
First of all i’m thanking @N30C0UNT and @sesha569 for the hints and helps…
Enumeration part was not that hard…
just “Dig” deeper…Times and “Zones” are important…
Once you got the creds and the way to login then just recall the places that you just crossed…
user was not even hard…
root also easy but should see what are running and executing exactly…
And if anyone needs any help you can ask me any time…
May I ask for some help… I’m kinda stuck. I found the creds.txt file, and tried enumerating port 53. Found something interesting using dig, but can’t use that information. I’m basically looking for that admin THING without any luck. I would appreciate any hints without spoiling the whole thing. Thx
Hi guys! Can someone help me, please? I’ve found creds, I’ve enumerated 53 port. But now I’m in stuck on H**A page. I’ve scanned all that ■■■■ things I don’t know how to get progress.
was finally able to read root.txt --this box was a real challenge for me. would love any input from anyone who was able to get a root shell. a friend showed me one method that was pretty wild, wonder what others came up with. cheers!