Ghoul

Could someone give me a PM nudge - I have a shell as www-data, but I think I’m down a massive rabbit hole getting to a user. is edit**_***-R*****.p** important?? Or the other files in that dir? I’ve done some unpacking deeper and deeper, and it feels like I’ve hit a troll.

Edit:
Got user now, many thanks for the help!

Rooting this box was pain in the ■■■, so many steps and guessing.
Between getting user and getting root is a vast abyss
Thx everyone who helped me on this road.

Very cool machine. Learned a lot of things. Thanks to @AmiToLotto @Xentropy and @tabacci for all the help. I would like to share some tips so other people don’t struggle as much as I did. I’ll try to keep this spoiler free, if you feel that I’m spoiling something please report it.
User: Keep notes of everything you find in the website then upload your file, there’s a vulnerability in the library that handles the files (HUGE HINT RIGHT HERE)
Root: This is the hardest part, enumerate, pivot, enumerate some more, pivot again and keep enumerating. You should read about git commands. Once you have certain juicy info use that and then some ssh kungfu is required.

I’m stuck on the second pivot… Are the same keys supposed to work as in the first and second box? I keep getting a permssion denied error. Not sure if it’s because I’m doing something wrong or something is just screwy with the keys I got.

What a ride, nice quest! loved/hated it, I mean, the journey is awesome, It forces you to do a good and depth enumeration on every place that you land… If not, it’s easy to fall in the feeling of f**k this guessing game.

Apart, It’s nice not being alone along the ride, saying this for all the hints,notes, etc. laying all over the place, the 90% of this, it’s a direct help for the next step.

The only problem, for me (IMHO), It’s the balance between the user and root. At least, in the Reddish quest, the user pops up at the “middle” of the road… Here appears right at the beginning of the journey, and when the "You've done well to come upto here human..." comes, you’re already with a fried-brain hoping not to see/need a new jump (at least, this is what happened to me ■■■■ :joy: .

btw, good box, learned tons of new things, but I must vote for the “totally not a 40pts box” thing… :+1:
Cheers!

Does anyone have a hint of what to do once I’ve got user on g*** server? I’ve been enumerating but theres nothing that really stands out…

Hint User: Try upload usefull file.
Hint Root: Scripting is good way.

This machine must give a badge and 10 points more.
Change my Mind.

anyone hint me on how to proceed please … have root on last part (git), found those sources, looked info on them, found some m*** credz, but other than that im lost (cant even find that m***), oh boy this one is loooooong, definetly CTF for 100 points :slight_smile:

Struggling to pivot here. My scans are showing only one other box out there with a single service? Had a good hunt for logs and configs locally, and have some strong candidates for box names and what they might be hosting, but can’t find anything. I feel like it must be obvious, as no-one else seems to have come a cropper here! :slight_smile:

Any non-spoilery nudges welcomed.

Type your comment> @smallgods said:

Struggling to pivot here. My scans are showing only one other box out there with a single service? Had a good hunt for logs and configs locally, and have some strong candidates for box names and what they might be hosting, but can’t find anything. I feel like it must be obvious, as no-one else seems to have come a cropper here! :slight_smile:

Any non-spoilery nudges welcomed.

Try pivoting to that box and see what you find.

@Phase said:

Try pivoting to that box and see what you find.

I did give that a go with no joy, but maybe I messed something obvious up. I’ll go back and re-focus on that again, cheers.

Edit:
Sorted! Many thanks to several people for the help and guidance, with a special shout-out to @Phase

One ■■■■ of a box. Felt a little too harsh and long for root at times, but on the other hand I learnt a LOT from it, so maybe it all balances out. Kudos to the creators :slight_smile:

Type your comment> @smallgods said:

@Phase said:

Try pivoting to that box and see what you find.

I did give that a go with no joy, but maybe I messed something obvious up. I’ll go back and re-focus on that again, cheers.

I would look at the NIC’s on the box you pivoted to. That can give you a clue of where to scan next. :slight_smile:

Finally rooted and enjoyed the journey. Thanks to all for nudges along the way. The ending is the best!

Spoiler Removed

This box kicked my ■■■. For four days straight trying to understand how to get root. Thank you to @m4xp0wer and everyone else with the tips and blogs.

And this clip highlights my frustration and its also a helpful tip!

root@Aogiri:~#

You know what? I still can’t find root.txt. Any idea?

Edit:
Wow. It was a very long journey. You will encounter with bunch of rabbit holes and trolls. IMO, very last step for getting the root.txt was cool and it was pretty educational for me. However, root process was CTFish.

Also, many thanks to @johnnyz187.

Thought I got all the way there and then got trolled. Giving this box a break (permanently, lol). User was “ok”. Don’t plan on rooting, though. Not worth it.

Where to find passphrase for ssh key ? the hash in se***.php doesn’t work .
do i need to decrypt shadow ?
EDIT: for passphrase , ce*l will help a lot

problem with port 3000 gogs not working ?

This box got a lot of hate, but no joke I think I had the time of my life rooting this one. Took a while, and yeah maybe rooting was considerably more difficult than getting user, but what a ride. So many rabbit holes!

Learned a whole lot, and any time I root a box and I learn something new I consider that a win. Thanks Minato and egre55!