Quite stuck on the box, I got the source code of (I guess?) the whole 3 websites, but can’t find any RCE. Feel like I miss something, doing my whole enumeration again but nothing is showing up at the moment.
EDIT : rooted.
Thanks a lot to @clmtn for helping me on user part, I was missing the “guessing” part to get RCE.
Took me 5mn to go from www-data to root. I confirm it is possible to do so without user.
Did not like quite much the box as it’s too CTF-like. (guessing part drove me mad)
Still I upvoted it, because I learnt a lot about port 53 ! Thanks to the creator.
Nice one. Just to clarify, you can fuzz the path you need to hit for RCE.
I found getting user fairly tricky, lots of misdirection and rabbit holes. Hint for getting user:
If you’ve made it to haha, look at the two parameters, and think about what function in PHP includes information from other pages, and how you can feed it information.
Working on root, I feel like I have the right file and am looking at the right ideas, but I just cant figure out how to leverage it. Going crazy feeling so close to finishing!
Can’t seem to find the haha page that has been mentioned here previously, any hints?
OKay so I’ve found the haha image, is their anything worth bruteforcing hidden in the image?
EDIT:
Rooted. Rabbit holes for user was really annoying, spent the most time on user by far, ended up I was looking at the wrong thing for LFI. Once I got www-data, user takes seconds and root shouldn’t take too long either. Thanks to those that hinted
First of all i’m thanking @N30C0UNT and @sesha569 for the hints and helps…
Enumeration part was not that hard…
just “Dig” deeper…Times and “Zones” are important…
Once you got the creds and the way to login then just recall the places that you just crossed…
user was not even hard…
root also easy but should see what are running and executing exactly…
And if anyone needs any help you can ask me any time…
May I ask for some help… I’m kinda stuck. I found the creds.txt file, and tried enumerating port 53. Found something interesting using dig, but can’t use that information. I’m basically looking for that admin THING without any luck. I would appreciate any hints without spoiling the whole thing. Thx
Hi guys! Can someone help me, please? I’ve found creds, I’ve enumerated 53 port. But now I’m in stuck on H**A page. I’ve scanned all that ■■■■ things I don’t know how to get progress.
was finally able to read root.txt --this box was a real challenge for me. would love any input from anyone who was able to get a root shell. a friend showed me one method that was pretty wild, wonder what others came up with. cheers!
Think I got everything I need from enum, brazilian dance, paths, etc … Now working to get those two (three) params and that final access timestamp puzzle pieces together. That much enum is fun, but the box is a wee bit too CTFy for me, though. Fun box, nevertheless !
Thanks to a few of you guys for the hints on user. The initial foothold was different and took me awhile.
Root was pretty easy once I took a look at what’s going on in the system.
My suggestions for initial foothold and user are to keep digging, do some guesswork, play with files both locally and remotely, pay attention to the comments so you don’t get stuck down a rabbit hole, enumerate, and tamper.
My suggestions for root are to understand what the system is doing. What can you leverage and how can you leverage it? A helpful hint that I had for root was mentioned in this thread quite a few times.