Ghoul

Type your comment> @AmiToLotto said:

Where to find passphrase for ssh key ?
Is se***.jpg a rabit hole.

change .jpg to .php when search for passphrase

@tabacci
Thx that works

I’m in g*** as “admin” I can also get a rev shell as g** but I don’t know what to look for or escalate…

EDIT: one more step… stuck on the next one. Crazy box!

EDIT2: rooted with a lot of help. Last step is too much

I’ve gained access via ssh, and nmap’d the /24 rather than the /16 and found some hosts – but cant seem to find anything that stands out?

is kaneki crack of encrypted key the way to user (im failing to crack it) ? have shell with other two users, cant find flag :slight_smile:

@ntroot No, you don’t! I got the user flag before I had a decrypted version of that key.

Thanks, i got it. Now try harding to root, LOL :slight_smile:

Could someone pm me where to look for uploaded file? Is it inside the M*** Area (no access yet)? I’ve recursively enumerated all possible dirs searching for it. Or I won’t see it in those and have to exploit?

I’m stuck at the pivoting part. I have a root shell but I’m not quite sure how to go about pivoting to acquire the other. If anyone has any links or reading material that could help me learn this and get further i’d greatly appreciate it. :slight_smile:

@Phase said:
I’m stuck at the pivoting part. I have a root shell but I’m not quite sure how to go about pivoting to acquire the other. If anyone has any links or reading material that could help me learn this and get further i’d greatly appreciate it. :slight_smile:

You could for example check out write-ups and videos for retired HTB boxes that needed many pivots and exploring the network - e.g. for the machines Reddish or Ariekei.

Type your comment> @kekra said:

@Phase said:
I’m stuck at the pivoting part. I have a root shell but I’m not quite sure how to go about pivoting to acquire the other. If anyone has any links or reading material that could help me learn this and get further i’d greatly appreciate it. :slight_smile:

You could for example check out write-ups and videos for retired HTB boxes that needed many pivots and exploring the network - e.g. for the machines Reddish or Arikei

Awesome thanks for the advice. That’s a great idea.

Could someone give me a PM nudge - I have a shell as www-data, but I think I’m down a massive rabbit hole getting to a user. is edit**_***-R*****.p** important?? Or the other files in that dir? I’ve done some unpacking deeper and deeper, and it feels like I’ve hit a troll.

Edit:
Got user now, many thanks for the help!

Rooting this box was pain in the ■■■, so many steps and guessing.
Between getting user and getting root is a vast abyss
Thx everyone who helped me on this road.

Very cool machine. Learned a lot of things. Thanks to @AmiToLotto @Xentropy and @tabacci for all the help. I would like to share some tips so other people don’t struggle as much as I did. I’ll try to keep this spoiler free, if you feel that I’m spoiling something please report it.
User: Keep notes of everything you find in the website then upload your file, there’s a vulnerability in the library that handles the files (HUGE HINT RIGHT HERE)
Root: This is the hardest part, enumerate, pivot, enumerate some more, pivot again and keep enumerating. You should read about git commands. Once you have certain juicy info use that and then some ssh kungfu is required.

I’m stuck on the second pivot… Are the same keys supposed to work as in the first and second box? I keep getting a permssion denied error. Not sure if it’s because I’m doing something wrong or something is just screwy with the keys I got.

What a ride, nice quest! loved/hated it, I mean, the journey is awesome, It forces you to do a good and depth enumeration on every place that you land… If not, it’s easy to fall in the feeling of f**k this guessing game.

Apart, It’s nice not being alone along the ride, saying this for all the hints,notes, etc. laying all over the place, the 90% of this, it’s a direct help for the next step.

The only problem, for me (IMHO), It’s the balance between the user and root. At least, in the Reddish quest, the user pops up at the “middle” of the road… Here appears right at the beginning of the journey, and when the "You've done well to come upto here human..." comes, you’re already with a fried-brain hoping not to see/need a new jump (at least, this is what happened to me ■■■■ :joy: .

btw, good box, learned tons of new things, but I must vote for the “totally not a 40pts box” thing… :+1:
Cheers!

Does anyone have a hint of what to do once I’ve got user on g*** server? I’ve been enumerating but theres nothing that really stands out…

Hint User: Try upload usefull file.
Hint Root: Scripting is good way.

This machine must give a badge and 10 points more.
Change my Mind.

anyone hint me on how to proceed please … have root on last part (git), found those sources, looked info on them, found some m*** credz, but other than that im lost (cant even find that m***), oh boy this one is loooooong, definetly CTF for 100 points :slight_smile:

Struggling to pivot here. My scans are showing only one other box out there with a single service? Had a good hunt for logs and configs locally, and have some strong candidates for box names and what they might be hosting, but can’t find anything. I feel like it must be obvious, as no-one else seems to have come a cropper here! :slight_smile:

Any non-spoilery nudges welcomed.