Ghoul

Finally rooted and enjoyed the journey. Thanks to all for nudges along the way. The ending is the best!

Spoiler Removed

This box kicked my ■■■. For four days straight trying to understand how to get root. Thank you to @m4xp0wer and everyone else with the tips and blogs.

And this clip highlights my frustration and its also a helpful tip!

root@Aogiri:~#

You know what? I still can’t find root.txt. Any idea?

Edit:
Wow. It was a very long journey. You will encounter with bunch of rabbit holes and trolls. IMO, very last step for getting the root.txt was cool and it was pretty educational for me. However, root process was CTFish.

Also, many thanks to @johnnyz187.

Thought I got all the way there and then got trolled. Giving this box a break (permanently, lol). User was “ok”. Don’t plan on rooting, though. Not worth it.

Where to find passphrase for ssh key ? the hash in se***.php doesn’t work .
do i need to decrypt shadow ?
EDIT: for passphrase , ce*l will help a lot

problem with port 3000 gogs not working ?

This box got a lot of hate, but no joke I think I had the time of my life rooting this one. Took a while, and yeah maybe rooting was considerably more difficult than getting user, but what a ride. So many rabbit holes!

Learned a whole lot, and any time I root a box and I learn something new I consider that a win. Thanks Minato and egre55!

Thanks mate @agr0 :slight_smile:

g*** server down?
Edit: Enum the network and Directories!

Edit2: Omaigod, rooted after 2 weeks! Would be months if it weren’t for the immense help given by @Alienware @TSB @cyberus

To newcomers: Get on the box, you’ll learn PLENTY!

Hint for user: File Upload Vulnerability + Think Harder, what other services can you exploit with that

Hint for root: Enumerate…seriously hard, everything is stashed EVERYWHERE, files, hidden files, network, the whole system and network, ssh and git fu is very useful :wink:

Can DM if you guys need directions

Note for the creator @MinatoTW, @egre55: Amazing Box, learnt alot of new techniques even when it wasnt the right path! Seriously Loved it although i felt like dying at times @.@, Thanks again!

can anyone PM me a hint on what to do when g*** box is rooted? found additional creds, enumerated whole box, but can’t figure out what the next step is

EDIT:
Hint: you need to look deeper in what you already found…

…feel so stupid that I couldn’t figure out phrase for kaneki for a week when it was just in front of me :slight_smile: Was just looking thru all possible info i had and boom - here it is! But how in the world i didn’t see that before…

i uploaded ,i got root,i moved to kaneki-** ,i found the Go** and i stuck for a while.
pealse i need hint to find creds.
or i have to escalate in kaneki-** ?

Type your comment> @Skid3ow said:

i uploaded ,i got root,i moved to kaneki-** ,i found the Go** and i stuck for a while.
pealse i need hint to find creds.
or i have to escalate in kaneki-** ?

exactly the same place myself. I know we need to look at Go* and I even have the correct exploit, but still can’t make it work %) Thou didn’t have enough time to play with it

I’m at the point where I’m root on first step (easy slide, but beware… things might get “slippery” when wet :D), I found a lot of SSH keys and decrypted the one that was encrypted. (Getting the passphrase was easy as it struck me as odd when I first saw it… that’s why I tried that first.)

Scanned the network with nmap, found one box with well-known-service on it but none of the loot so far worked on that. I also found a script that was part of a Black Hat talk and a quite big file that might have been put through that script. I think I have to decrypt that file but I’m quite stuck there.

I got it to a point where it spits out some code, and I’m using the only thing I found in a known file that has a matching length to be used as a key. But trying that only gives me garbage as far as I can tell.

(And no, I can’t use Pspy to skip this step like others seemingly have done, because on VIP the chance of encountering this is very low.)

I guess it would be helpful to get a hint at how to locate the offset of the added garbage (so I can tell if my decryption was successful or I’m looking at random garbage) since I don’t have the unmodified original file as reference and don’t know how big the ciphertext is and if my guess at the key is right or wrong … or if this script and file are just a troll to waste time. I also found some more credentials from various places but don’t know if they might come in handy later, so I’ve just written them down.

/Edit: NVM, found it xD I was blind… now at pivot point 2 :slight_smile:

Type your comment> @darkkilla said:

I’m at the point where I’m root on first step (easy slide, but beware… things might get “slippery” when wet :D), I found a lot of SSH keys and decrypted the one that was encrypted. (Getting the passphrase was easy as it struck me as odd when I first saw it… that’s why I tried that first.)

Scanned the network with nmap, found one box with well-known-service on it but none of the loot so far worked on that. I also found a script that was part of a Black Hat talk and a quite big file that might have been put through that script. I think I have to decrypt that file but I’m quite stuck there.

I got it to a point where it spits out some code, and I’m using the only thing I found in a known file that has a matching length to be used as a key. But trying that only gives me garbage as far as I can tell.

(And no, I can’t use Pspy to skip this step like others seemingly have done, because on VIP the chance of encountering this is very low.)

I guess it would be helpful to get a hint at how to locate the offset of the added garbage (so I can tell if my decryption was successful or I’m looking at random garbage) since I don’t have the unmodified original file as reference and don’t know how big the ciphertext is and if my guess at the key is right or wrong … or if this script and file are just a troll to waste time. I also found some more credentials from various places but don’t know if they might come in handy later, so I’ve just written them down.

/Edit: NVM, found it xD I was blind… now at pivot point 2 :slight_smile:

Been stuck for a while and I’m in a similar position where i have the *py file, done my Nmap scan and found a host with a single port open but cant ssh to it?

can someone please help me with the escape in the first docker

Type your comment> @avi7611 said:

can someone please help me with the escape in the first docker

yes

ok

I am on the last container got compressed file, got creds too but of no use, what now?
no clue.

EDIT: rooted, it was fun and something new for me.

Thanks @MinatoTW @egre55