Haystack

I can’t escalate, because l*****h_* files that I created are deleted several times.

can someone help me with L** to get k****

I stuck on user part…I am looking for th db via http://10.10.10.115/b***/_al*/_search but I can’t see anything important…How should I take user,with reverse txt or will get credentials from db from web search?Any nudge please

Type your comment> @x4t4n4x said:

I can’t escalate, because l*****h_* files that I created are deleted several times.

L*******h has a tendency to delete stuff if it doesnt match it’s filter.

Type your comment> @KeyboardCaper said:

Type your comment> @x4t4n4x said:

I can’t escalate, because l*****h_* files that I created are deleted several times.

L*******h has a tendency to delete stuff if it doesnt match it’s filter.

Ok thanks, But I rename the filter file and the shame, deleted.
I think that I need a special syntax, Can someone explain me a little bit? PM please.

The syntax is in the f****r.c**f file. Googlefu a debugging tool and play with the syntax.

@Tugzen said:
I stuck on user part…I am looking for th db via http://10.10.10.115/b**/_al/_search but I can’t see anything important…How should I take user,with reverse txt or will get credentials from db from web search?Any nudge please

The index the info is in doesnt have a b in it.

gusy what is this k*** user?I could get inside via se***** user and can’t see other user directroy under /home. And wget or nc command is not installed,I don’t know how can I do download a file for priv esc.Can someone give me any hint?Thanks

Type your comment> @Tugzen said:

gusy what is this k*** user?I could get inside via se***** user and can’t see other user directroy under /home. And wget or nc command is not installed,I don’t know how can I do download a file for priv esc.Can someone give me any hint?Thanks

use curl

Type your comment> @sazouki said:

Type your comment> @Tugzen said:

gusy what is this k*** user?I could get inside via se***** user and can’t see other user directroy under /home. And wget or nc command is not installed,I don’t know how can I do download a file for priv esc.Can someone give me any hint?Thanks

use curl

:slight_smile:

You can also send a file over ssh.

Pretty nice box, triggering the k* user shell via curl is very frustrating if you have not read the renaming hint in the forum.

Type your comment> @KeyboardCaper said:

The syntax is in the f****r.c**f file. Googlefu a debugging tool and play with the syntax.

Debuggind tool is a mess, but finally I get root testing my own recipes.

I had the K* user exploit working this morning, and now, trying the same thing, using random file names…it’s not. :frowning:

i used one debugger online and get correct syntax and placed l****h_ but i didnt get any response
can someone pm me to check my syntax thx

Type your comment> @MrBreadcrumbs said:

Hey yall, looking for a nudge on user. I have seen the hints in the image, I can view everything on the high port and I have seen two candidates for a password. Unfortunately I cant seem to find a username! I see people say it should be near the password but I can’t seem to track it down. A push would be greatly appreciated!

encode the “username” . and the try find the encode string to get the username

Rooted!

USER: was fun. I’ve never done that kind of ctf scenario before with clues and puzzles. I felt like I was in the original batman. using the installable tool for processing that kind of db was a big help.

ROOT: What a faff. waiting on the reverse shell was like waiting on Father Christmas. tip: I spent ages getting root because I was putting the cart before the horse. When you’re organizing your attack be sure that when you’re structuring it, you’re not mistaking the structure of the output for the structure of the input. when that penny dropped it was easy.

Also, when I was trying to root some users kept changing my files. If you find a script on the box in a hidden folder that looks like a reverse shell it’s probably another users. I don’t mind people reading or copying my scripts. But don’t alter them when I’m trying to fire them. MAKE YOUR OWN WORKING DIRECTORY

Thank you to those who helped me get unstuck at k***** @PanamaEd117 @knowyourenemy and @TimW94
and thank you @joyDragon for a fun box!

Rooted. Did have problems with things not working as expected all the time.

stucked on root, cant get k****a user, upload shell but it doesnt work, help pls

rooted && , learned new things about banana and g70k

User was not so difficult . Now will see for root.
For user : Just dump and use hint from port 80 :wink: