Unattended

Hey guys, Iā€™m pulling my hair out when it comes to user, I have no clue if its even possible to gain RCE through s** due to the grants so any nudges in the right direction are much appreciated!

feeling stupidā€¦ still looking for the websitesā€¦ I donā€™t see anything via dirb/nikto/wfuzz for daysā€¦ maybe I should become a gardenerā€¦ Someone said a first clue is visible within nikto results :frowning:

jesus I know as soon as I post this Iā€™ll find a hint myselfā€¦

In my opinion it should be 50. Somehow both user and root got me confused. I knew what I was looking at, but wasnā€™t able to exploit it, as apparently my tests didnā€™t run deep enough. Whatā€™s with that mail though? Hard is good, but in the end my feelings are mixed.

Hint if you are stuck on root (that is more general than just for this machine): mtime.

Hi guys, I have a shell as w**-*, but am struggling to privesc. Any hints would be appreciated!

Yeah if anyone feels like helping me out a bit with Unattended then let me know :slight_smile: me and a friend are a bit stuck on what approach to take after finding the initial vulnerability!

We found the S*** vulnerability, and have a few ideas.

Iā€™m learning a TON though :).

Hi guys, Ive been stucked already for about a week in escalating from w**-d*** to presumably g***. Iā€™m really on a desperation and need a help. Thanks!

Edit: managed to solve this, thanks for the help. +respect to those who reached out.

Type your comment> @rocux said:

Hi guys, Ive been stucked already for about a week in escalating from w**-d*** to presumably g***. Iā€™m really on a desperation and need a help. Thanks!

Go through the database and carefully analyze it. Thereā€™s only one table you need. Keep in mind that in most cases what seems useless may also be the only way to go. Donā€™t stop thinking about things that confuse you until you know that what youā€™re doing is not going to lead you anywhere. Always try harder and listen to yourself. When you want to leave something that confuse you, try asking yourself - ā€œam I really sure that itā€™s useless?ā€

Well any who could help me for approaching root, I think I have looked for every thing.
Donā€™t know what Iā€™m missing
Pm me please

Beautiful machine, but it is very hard, not a medium level IMHO. I am going to give some hints, I hope there are not spoilers:

  • User : Dumping is not the solution, you should understand which parameter the application is using and how the response is back using this parameter. Maybe you can manipulate the payload to achieve something else. After that, try to get some reverse shell looking for reflections in the response.
    Once you get a reverse shell, try to play with what you have played before. There is something that is refreshing if you do some updatesā€¦ suspicious :wink:

  • Root : Try to enumerate what privileges has this user, there is one that is not common that will give u a hint. It is not easy because is very sysadmin related.

Anyways, PM if you are stuck :slight_smile:

Congrats @guly, I have really learned some new things :blush:

Hi,

Iā€™ve dumped the trash and found something useful information. But stuck after that phase. Can someone give me a hint in PM? Thanks :slight_smile:

This has got to be the box that has given me the most trouble so far. Took me about 2 weeks of working on and off to figure out the doctorā€™s visit (thanks much to @Leonishan ) and Iā€™m stuck just a few steps ahead of that. Could someone PM me with some advice? I have a few questions. Thanks in advance!

a lot of caffeine was wasted during the user part : p wonder what about root now

any help? I stuck on L**

I already get some interesting info with sq**, but unable to move onā€¦hints please

rooted thanks to some tips from a patient @dr0ctag0n!

PM if you need a nudge. I barely made it through the box, but Iā€™ll try and help out where I can.

This machine made me bleeding for gaining user shell. Still try hard for root user :smiley:

Rooted the box ā€¦!!! Its insane ā€¦

I suspect that we have to do nested querys to get want we want, can anybody PM to make sure Iā€™m in the right way?

Type your comment> @hfernandes said:

I suspect that we have to do nested querys to get want we want, can anybody PM to make sure Iā€™m in the right way?

Finally LFI, moving on to RCE