I adapted the /e,/h,s file to link to the IP, however browsing to c,.h,:80/ does not load in my browser… curl gives me an answer after like 5 minutes… super weird… 10.10.10.120 gives me the “no direct ip” instantly. Similarly for /w,/ i get the listing, but accessing /w,/w,s/ the page keeps loading indefinitely.
Is this server broken, or what might I be doing wrong?
just got root.
I really liked it, these kind of boxes are my favourite.
Lots of different tools and techniques, not too hard, and not too easy.
Learned some new stuff too, and explored some new tools to but in my belt.
If you need some hints (it’s still some time left before it retires), feel free to DM me.
Update so far - It is as obvious as I thought coming back to it and help from some people, I have yet to get user or root on this one though - I feel like I need to do more for my CTF boxes as I’ve been dreadful on this one.
[USER]
Harder than I thought. Thanks @fjank for that help.
[ROOT]
Seen some hints are here that point you in the right direction. This part was easier for me that user. Do some googling and remember who’s directory you’re in
Need help getting a reverse shell. I know what commands are blacklisted, listed the binaries installed on the machine so I know what command to send to pop the shell, but how do I run the command?
I can write to files, run a command and save its output to file, but I don’t know how to trigger my shell.
*EDIT: Never mind, got it! Just trying to get root now.
I adapted the /e,/h,s file to link to the IP, however browsing to c,.h,:80/ does not load in my browser… curl gives me an answer after like 5 minutes… super weird… 10.10.10.120 gives me the “no direct ip” instantly. Similarly for /w,/ i get the listing, but accessing /w,/w,s/ the page keeps loading indefinitely.
Is this server broken, or what might I be doing wrong?
Your browser probably loads that file on startup, restarting it should fix it!
Just finished enumerating this one. I can see that there could potentially be a lot of rabbit holes. I guess that is the point, to determine what is valid and what is a total waste of time. Being lazy, I may not spend too much time here unless w*******s reveals anything.
Got some c***s but I did it manually and can’t get my tools to automate it, anyone want to pm me if they got this in an automated fashion? I’d like to learn for future.
I am stuck on escaping the rbash section. I have read all the comments and tried to perform every escape with no luck. I was however able to read the user flag without escaping rbash so there is that.
If anyone could PM me with a hint on escaping rbash that would be great.
@yunolikeme1 said:
I am stuck on escaping the rbash section. I have read all the comments and tried to perform every escape with no luck. I was however able to read the user flag without escaping rbash so there is that.
If anyone could PM me with a hint on escaping rbash that would be great.
Yeah my hint to this:
rbash cut off your legs(cd) and took out one of your eyes(ls) :frown:
but you still have one other eye… one that can see the true PATH…
Stuck on the p** maker page. From reading comments, I see this is where I can get RCE, but stuck for days. Anyone PM me a nudge? A hint is preferred, not a spoiler. Thanks in advance.
Once I got the limited shell, I was able to get user pretty quickly. I really think I didn’t use the common method, please message me with how you escaped rbash and I can share my method.
Can someone PM me a hint for the initial creds?
I cant find them after multiple enumeration.
Found multiple locations to log into, but no creds.
Also found that w*******s.