Jarvis

I got the shell but with www-d@t@ as the user. Can someone guide me how to do privileged escalation?

Can anyone help me with the root part? DM me

Working on this box. I am able to read files via a certain room url as well as write to /t**. I. Unable to execute anything with this vulnerability since I can’t seem to write files to /v**/w***.

I have gotten a DB password but don’t see many places to use it.

Am I in a rabbit hole trying to write a file this way?

can someone help me run the python program as p****r? I feel so close.

Rooted! Actually pretty easy but I made unnessary mistakes, so that this was the box I spend the longest time on. Thanks to @ixxelles for helping me out.

nice box, learned something new from it :slight_smile:
anything you must need for the entire box is in this post already, but if you want help just come inbox

root@jarvis:~# id; wc -c root.txt
id; wc -c root.txt
uid=0(root) gid=0(root) groups=0(root)
33 root.txt

Cool machine! :slight_smile:
Fim de jogo.

Trying get www-* shell from other ways. Until now I can confirm two different ways to get it.

Rooted. www-* to root was fun. The path to root was interesting with a lot of learning potential for linux sysadmin control features.

There are plenty of hints in this thread to get you through. Once you get your shell it’s straightforward.

Okay, still working through user. I am having a syntax error. I am using a certain web attack on a room. I can write files to /v**/w**/h***. But when viewing the new file, it shows me the column numbers with my code in the column I used.

I can get a shell with a popular tool, but there are limits to that shell.

User down. Bad syntax on my part. No creds needed. On to root…

Rooted at last.

I spawned one shell from another shell from another shell from another shell from another…

Tip for root: copy your public key into authorized_hosts and just ssh in. I was unable to modify the system administration stuff from my reverse shell. I ssh’d in properly, and the same exact steps worked perfectly.

Edit: Before I logged off the box I saw someone message me on the wall about how I got a particular file into the /tmp folder. Use your kali’s apache server, host whatever files you’d like to be able to transfer on there, and then use wget from your shell on the box.

Finally rooted. Great Thanks to @WhiteVoid especially and some others that help me along the way.

One shell leads to another leads to another leads to…root.txt
Nice and straightforward box which aside from that one s*******l breadcrumb at the end is quite a life-life setup.

Thanks @manulqwerty and @Ghostpp7 for this one!

Feel free to PM if you’re stuck and looking for a nudge in the right direction.

I’m super lost with the hint about the rooms… a PM nudge in the right direction would be greatly appreciated.

Sooo back at root. I am in as w**-d***, full tty using python pty. I was working at a certain script owned by p***** that according to s*** I could run. But a few dozen tries with different input/output configurations nothing came up. All led to permission denied or temporary failure in name resolution. Figured I might be in a rabbit hole.

Then I started privilege esc enum again and noticed a certain binary that could be run by another user. Thats where I am stuck, trying to either move to the certain user, or leverage the binary to do what I need it to. Would appreciate a nudge.

Thanks!

Great box, loved it !

User:
enumeration doesn’t always mean dirb
If you’re being blocked change things…
Know your tools, man is your friend…so is Google!!!
don’t over complicate, keep it simple and when stuck, back to this thread, all the clues are here

Root:
Enumeration, find something that looks unusual, google…google some more, read the thread again.

Hey guys, I am trying to hack jarvis but it seems im totally stuck after the enum… found the p********n page and im totally lost now… I think it’s vuln to LFI but not sure as some exploits didn’t work… any useful nudge where to look? Im new into this :frowning:

Type your comment> @idomino said:

I’m super lost with the hint about the rooms… a PM nudge in the right direction would be greatly appreciated.

THANK YOU for those who PM-d me :slight_smile: Got the user, now onto the root :slight_smile:

Type your comment> @mava said:

Can someone help me a bit?
I got the shell as pr via sr but no wan’t echo any output.
If i type ls, it just shows ls but not the folders.
But I still can use cd, i just have no output for the commands.
Maybe I did something wrong with the privEsc command.
Little Help would be nice.
Thanks :slight_smile:

Just exit after giving your commands. Will see the output