Arkham

Anybody got any nudges about bypassing restrictions and restoring the admins powers? I think have the right exploit but powershell says no.

Awesome machine :slight_smile: Root was very nice!

Anybody willing to help with decrypting the vs value? I have the key, but I keep getting “bad magic number” when using openssl to decrypt it. Please pm me. I did many different tests, but I’m failing, any hint in the right direction is appreciated.

Would be also useful is somebody could pm me answers to the following questions:

  1. is the MAC part of the value? Should I isolate it before decrypting? I tried with the whole string or to isolate the mac (with b64 extra space) needed space from the beginning and the end of the string, unsuccessfully.

  2. are the + in the value part of the b64 string? Or are they there because of url requirements? Again, I tried with the whole string, part by part, unsuccessfully.

  3. is -pass the correct switch to pass to enc? This seems to be the more appropriate, but I tried to pass my secret in different ways and it didn’t work.

  4. am I correct that my real key is the decoded secret?

I’m running out of options, at this point I feel like I’m bruteforcing the string, I only try minor changes but without seeing why it should be different from everything else I tried.

Type your comment> @kecebong said:

i got zip file and able to mount the img file and got the secr3t for my faces. and i could see the faces in UserSubscribe.faces but i unable to decrypt it using online web tool, anyone kind enough to point me the right direction? or any link should i read?
thanks

got Bat shell, but can’t do anything, tried U** bypass and found .b*t file but no luck what >> to do, anyone kind enough to shed some light?
thanks

finally

I am able to decrypt, encrypt and sign… But none of the payloads are working… all i get is 500 error… tried decrypting encrypting and signing available V******** and that gives me 200
Confused!!! Any Help would be appreciated

Ran B**k over the b****.g but I don’t see anything interesting. Had a squizz through the Tt files, but nothing stands out. Would appreciate if someone could shoot me a PM.

I need a nudge please. PM me please

Managed to get the string from relevant files from the img. Need some help on how to decrypt viewst and also how to encrypt using secret. Any nudges welcome!

stuck on way forward to admin, have two users, nudge appreciated if someone has time. cheers.

Cracking for the password…

Gmmm, playing with this box for a day but can’t ping myself…
any gentle nudge appreciated!
edit: nvm finally able to ping myself. onto user. what a hard and nice box!

Type your comment> @s0lari said:

Managed to get the string from relevant files from the img. Need some help on how to decrypt viewst and also how to encrypt using secret. Any nudges welcome!

same spot

Nice box, for user - read the sources…

can anyone tell me what to do after getting secret and other stuff from t****ct?

I’d also take any hints on where to go next after Bruce has been exhausted and his ability to take a b*****.img is in question. I feel like going after the faces vse is next but not connecting the dots on successfully getting a decrypted/deserialized object or how to utilize that once I have. New to all this stuff but hate to give up, been a few days now though lol

Please PM, Someone give a hint how to fix 500 and get ping back to my machine?

I too am stuck at the point of trying to ping back to my machine, but keep getting 500. Can someone please PM me with some tips on how to format my payload?

Type your comment> @watashiwaojsn said:

Gmmm, playing with this box for a day but can’t ping myself…
any gentle nudge appreciated!
edit: nvm finally able to ping myself. onto user. what a hard and nice box!

After getting the user shell, stuck at privesc for days. mmmm.
Anyone at the same point?

edit : Finally rooted with reverse shell ! Wow! Surprised old technique still woked even today. Live off the land!
edit 2: compared the solutions but seems my painless way was not mentioned anywhere

Any Hint about priv esc to root? I guess already have a B***** user and password after get an image…