Writeup

Stuck cracking the hash. I always get the same one, but even with the biggest wordlists I can’t get the pass. Can someone who got user contact me to verify I got the right one?

EDIT: Nevermind, I simply hadn’t copied the whole salt from the output of the exploit.

Finally rooted. Very interesting PrivEsc I have never experienced before. Also took a bit longer as some folks thought it might be funny to empty the contents of root.txt to make me think my script wasn’t running LOL. Thanks to @riazufila for the amazing hints!

Awesome job on the part of the creator, @jkr.

Rooted :blush:

USER:

You might want to carefully observe the source code or use something like Wappalyzer if you don’t want.
Before running the exploit, edit it a bit according to the warning displayed on it’s normal run.

ROOT:

Root part is comparatively easy. The only hint I can give you is that there are more than 2 vulnerable things running there. If one of them or some of them doesn’t work, you can trigger all of them to do your job. :slight_smile:

Hope I didn’t gave any spoilers! Please feel free to delete it if you think it’s a kind of spoiler.

Happy Hacking!

Huh, rooted finally.

Was able to find a root key after switching to free server.

May anyone share their root pwning experience?
I’ve tried quite a lot but failed all previous times, I really wonder what I was doing wrong.

Appreciated.

@jkr thanks for the machine and few days of my life spent to solve that one

I am having a very hard time figuring out root. Have been messing with it for the past couple days. I’ve managed to spot some processes that are of interest but I just cannot figure out to make them work towards my advantage. Any nudges will probably help. Losing my mind!

Rooted, nice box… Pretty user and subtle priv esc

Shout out to the guy that wrote the Exploit DB script for a service on this box

My god root on this box was such a pain in the ■■■■ - and it really didn’t need to be whatsoever.

The hint I found most useful was:

PATH has a priority, binaries are looked for in the PATH from most preferred to least. I think left to right…

With that in mind, you can make a binary sort of… skip the queue? and that binary can do something evil :smile:

got the user flag and am now stuck at root. I see writable directories, looked at what binaries ran but can’t find a way to replace one or “jump the queue”. Any tips?

Just got my first user flag on this. Ready to try and jump on the root flag tomorrow or later tonight.

Can anyone help me a bit with root? I read the comments and I understand the priority of the PATH. I also got p**y running and see the tasks but can’t get an escalation…

still stuck at root. tried to follow the forum hints, anyone can PM?

Thanks

PM me if you like

I have a remote connection to the file system but it keeps crashing, is this due to someone exploiting the thing I’m currently trying to figure out to get root?

Ok, I have a question. I rooted the machine, but it would be impossible for me without reading this topic. How you guys come up with the idea like “oh, lets take a look at p*****s and then take a look at $P and so on to get root”?

USER OK, but root… impossible… I can not find any exploit for it, not for M****, not for 2, is my first machine, everyone say “It’s easy”, but I really dont think so… After many hours I m a litte bit… desperate, what to do with C* or with the rest of the proccess? Who knows…

Can I PM someone for help? Maybe I’m trying to run the wrong script, but I repeatedly get nothing when trying to find the salt…

Finally I did it!!! I hope there are not so much machines to use c****** like this…

Rooted.

User - Find the webpage by using our mechanic friend and then find the relative exploit, personally I never messed with the time variable and for cracking the salt/hash I saw a useful hint on here that stated use a ‘famous kali word list’ and I can confirm it works.
Using the creds you harvest? How did you find out the box had a webpage?

Root - Get a tool that shows background processes and watch. If you’re on VIP, generate traffic yourself, public? Just sit and watch.
After that, find out what root is doing upon traffic being generated and try exploit that.

And for the love of god please if you put root.txt in /tmp fucking remove it after you’ve copied the flag!!!

Rooted! My first root on here and would have been much sooner if I’d not missed the first 11 characters from something.