Jarvis

I’d like a hint on privesc too, got user fast, but completely lost on privilege escalation

Rooted. Started at the same time when it was released. I was stuck at initial foothold, though knew what the AV is. In 30 mins, the notification popped up that 1st blood was “spilled”. Came back in few hours, got a low-level user shell. Then spent another good few hours to find a root way. I hope, I made it in intended way because something suspicious popped up in my enum.

Though this root privesc requires a sacrifice of something unless attackers rollback to initial statue, so the reset is preferrable for this box.

got stuck on http , any hints?

nice one

is that sis thing rabbit hole for privesc? :confused:

Type your comment> @mpzz said:

is that sis thing rabbit hole for privesc? :confused:

My bad. That was not a rabbit hole. Got root :slight_smile:

So is there really an lfi here?Because I was suspecting the same thing

Type your comment> @m00nr4c00n said:

Im so bad at privesc… got LFI working, got RCE working… but fk me! im just www-data.

How did you got LFI working.? I tried. I got request canceled.

.

Spoiler Removed

Hint for user: a fortune character might help.

Hi, I can get connection from server and I can run commands via specific scripting tool but the user is not correct user for me. How can i escape from www-****?

This box is just straightforward and awesome…Don’t over complicate anything…
Those who are not getting the user shell from www-data , check which shell you’re using to execute commands…

Rooted! I really enjoyed this box! Every step is pretty straightforward once a proper enumeration has been done, so that no guesswork is needed. Thanks to the authors!

Could anyone provide me some insights (looking on what to research) on subverting the (you know what) file to get user.txt?
The obvious chars that would allow that are being “filtered”.
Thanks!

Got it :slight_smile: A bit of manual brute force and logical thinking did it :stuck_out_tongue:

If you’re getting banned, why don’t you switch to something more reliable…? :slight_smile:

Type your comment> @anthonws said:

Could anyone provide me some insights (looking on what to research) on subverting the (you know what) file to get user.txt?
The obvious chars that would allow that are being “filtered”.

I am not able to bypass the filter, and it doesn’t run on the other shell. :anguished:

Is it possible that the exploit is related to the php version?

So does the high port start banned?

Type your comment> @sherad said:

So does the high port start banned?

Yes…