Curling

got user and root flag, still working on a root shell but not really sure if I am overcomplicating it. Anyone willing to give a hint in PM?

Type your comment> @Parrrs said:

I read most of the comments, but still couldn’t get the root shell. I am looking into a***-***a directory and still couldn’t get a clue. Can someone PM me a hint?
Thanks in advance…

Edit the files, watch the files. See if you can catch whatevers happening to them. Then read the manpage.

@c4m said:
Stuck on getting a shell uploaded on the joomla admin panel, tried editing the templates, installing a simple file uploader but nothing seems to work, anyone able to nudge me in the right place?

PM’d you.

So i found a password that im 100% is a password to something. usernames are typically admin. i had attempted to login but got a “security token” error. Now i cant login with the same creds i think. Should i reset it?

After almost two days on this seemingly easy box I finally found the root flag. I’m still not sure which process is running and updating that one file, so if anyone is willing to discuss please dm me.

thanks to jkr for showing me a nice way to monitor the running processes :slight_smile:

rooted, but i got user by uploading shell , i wanna know how the others overwriting the index.php to get shell , plz PM me :smile:

Edit: got it, I’m an idiot :grimace:

Rooted, fun box! I actually got it through a root shell. I would like to know how others did it, I think there is another way by editing a certain file i…t.txt. I think it would also be possible to output the flag in a way. I saw others try it. Somebody cares to share this method (PM)? Thanks!

I feel like an idiot, I have fount he se****.*** file and I even know how to drop a shell, but I cannot find the way to use that password (transformed I mean) with any user or where in the login. Could someone drop me a PM to help?

Im baffed! What is it about “curling” i dont get. How can I privesc with it. I have a low priv shell banging against the directory that contains. user.txt if anyone can help me get a root shell I would be very grateful. PM me if your further behind and need a leg up to here

Got root. Enumeration helped me a lot to find the vulnerability.
I did not need any additional editing. (
Frankly speaking, rooting was much easier than extracting user password from that file ((((

oops

rooted if you need help pm :slight_smile:

Still very much a noob at this but I managed to get root.txt with only the slightest of hints. What amazes me is a) I make the intuitive leaps that actually get anywhere and b) that anyone else does!

Haven’t managed to root the box though… Is this done via the mechanism that was used to grab the flag?

I’m trying to get the reverse shell by using a technique learned from ippsec (popcorn). Joomla however refuses to accept it no matter the content type, extension or the content of the file itself.

Is there any other way to upload “unsafe file” and execute it?

EDIT: Of course there is…

Could someone please PM me a hint regarding a****-a*** and the two files in there? Can’t figure out the command.

Type your comment> @Parrrs said:

Type your comment> @mortone said:

hi guys. could somebody help me with p*******_b***** file? the question is how this decrypting works…

level 12 of Bandit on Over The Wire, search for it, you’ll understand…

Thanks

Oh what fun box that was!

Rooted and I feel so happy, that nobody did PM me with hints and I did it on my own.

I’m happy to help someone who’s stuck.

I’m stuck on obtaining root.txt using curl could someone PM with some hints?

Edit: Just, picked up root.txt.

Don’t overthink it like I did.

Exploits come and go, methods for privesc may change, but being able to have awareness of your environment and surroundings of what is currently in front of you is a soft skill that everyone needs to have and work on, even for myself.

Also, thanks @Monty for pointing this out to me.

I keep getting
WARNING: Failed to daemonise. This is quite common and not fatal. Connection refused (111)
What is the solution to this? Does this warrant a reset?

Thanks for the machine! User flag took about 30-40 mins and two cups of coffee. Root flag took about 30 mins and then root shell about 15 mins after that. Learned something new when it comes to figuring out the subgoal of the next step in theory and then researching how to do that in practice and what commands you need to achieve it.