Jarvis

Very nice machine, I wasted a lot of time on the first part because I overestimated it. For root, use whatā€™s under your eyes,
sometimes you are root without being root.

Rooted! Very nice machine, learned a lot! My favourite box yet, big thx to @manulqwerty and @Ghostpp7 !
Thank you @ThunderB for the hint! It spinned me out from my brain loop:)
Feel free to PM for hints.

Awesome box! Thx @manulqwerty & @Ghostpp7 for a solid challenge! User was an exceptionally nice experience, and found two slightly different paths towards obtaining a shell although the vulnerability is the same ā€“ Iā€™m guessing that there are even more ways to do this.
I found root pretty much by thourogh f********m enumeration, but am a bit puzzeled on what configuration flaw would lead to this privelege escallation method as this would not normally occur on any linux box for all I know. If you know more on the underlying configuration; I am all ears.

Nice box, got a little stuck on Syntax at the end but Enjoyableā€¦

anyone able to assist in helping me do local priv esc. stuck with www-data user

Type your comment> @barondune said:

anyone able to assist in helping me do local priv esc. stuck with www-data user

look for something that does not belong to you but you can borrow. :slight_smile:

Type your comment> @Jumecittu said:

Type your comment> @barondune said:

anyone able to assist in helping me do local priv esc. stuck with www-data user

look for something that does not belong to you but you can borrow. :slight_smile:

Thx man. I was able to figure out user. Stuck on root

My best advice on root: Be lazy, you donā€™t need a shell, you just want the flag

Type your comment> @t3ngu said:

My best advice on root: Be lazy, you donā€™t need a shell, you just want the flag

Thx man. Someone also pointed out a few things that is a cve that abuses some systems things (leaving out details) but i dont understand it.

All I ever get from this s*****py script with the added command is ā€œNo outputā€ or the help menu even if I purposely put things that are mean to be forbidden. Banging my head against the wall!!!

This is killing me off. I reset the box as I was getting EOF errors from the py script. Now I get the banned message and the tool I used to remote shell previously will not connect.

Reset again and Iā€™m banned immediately. Waiting 90 seconds does nothing. This request is to port 80 too so nothing to do with the high port. I canā€™t fathom why I wasnā€™t getting banned before no matter how much traffic I threw at the box, but now I canā€™t view one web page.

Type your comment> @thegoatreich said:

All I ever get from this s*****py script with the added command is ā€œNo outputā€ or the help menu even if I purposely put things that are mean to be forbidden. Banging my head against the wall!!!

Youā€™re pinging. If you google for ways or doing creative things with that youā€™ll find a format that works for the script.

Does anyone know why I used to be able to use s&lm*p on this box with no issues, and now as soon as I do I get banned? So frustrating not being able to get back to where I was.

Nvm. Tamper scripts enabled me to get back to os_shell. Back to that head scratcher. Googling ping commands hasnā€™t shed any light. I feel like Iā€™m being thick here.

Hi, can please somebody help me with the last step of user, where you make this specific command? I figured the vulnerability already out and know how to bypass, but I get always some errors. Please send me a message

Rooted.

I found one way to an initial foothold, can see there is at least another. Interested to hear from anyone who wants to compare notes.

EDIT nevermind I think I have the answer

Iā€™m stuck on the initial foothold. Iā€™m finding other peopleā€™s shells during my enumeration, and could easily just use them to get a shell as www-data but I need to know how people are getting those shells uploaded.

I know that *.php?= URL that may lead to an LFI: I can not provoke this URL to give me anything of use by the way of either a file or a useful error message.

I 've also found the login for /p*******n, but I canā€™t exploit it unless Iā€™m finding the credentials?

Can someone PM me a hint to help me exploit the room?

Edit: Got credentials to p********n, thanks to @sneakypanda for the nudge and confirming I was on the right track after the fact.

Can someone help me on this? I have been looking at the rooms for hours but cannot find anything. Thanks.

My hint to root:

If you are using an outdated version of LinEnumā€¦ try to update it from the github page and you will be able to see the path.

Donā€™t be a dumb like me :neutral:

Can anyone drop me a message with a hint on root? Happy to say where Iā€™m up to and what Iā€™ve tried. Pulling my hair out a bit!