Writeup

Wasted a long time on root trying to establish a reverse shell, however just using cat on the root.txt file works too I guess. Still not sure why my reverse shell wouldn’t execute…

Hello everyone,
stuck on getting root flag. privilege escalation. could use some help please.

My exploit keeps timing out. The S** I***** exploit.

Anyone encounter this and know a way around it?

Nevermind, I was in the wrong directory.

edit: okay yeah but it’s also timing out when i tried it again.

Now trying to get root, totally out of ideas on how to do the PATH thing. I have a rough idea of how to priv esc, but I’m totally stumped on how to do it. Yes I’ve looked at the processes.

Guys,

Hint for ROOT:

If you are using VIP server, switch for the free one.
In the free server, there is traffic that in VIP server you most likely won’t see.

After switching to the free server, try to see what happens after other users logged in .

PM me if you need more help.

Need help with root!! Got no clue what to do? I am monitoring pspy ssh logs path but no sure what to do about it.
Anyone up for help here?

this priv escalation is gonna make me smack my head on the desk. I for sure found the directory I can write too, and I see what happens with a netconn. Just gonna take a break for now.

@TheRealHooz
Mee too stuck there. got the directory but ■■■■ nothing working. I am already banging my head

Can anyone help me with the credentials? I’ve found user, email, salt and passwd and it seems to be impossible to decode it…

Can anyone pm me ? Its been 3 days. I stuck on the user part. I am unable to bypass the T*** (D*** prote****).

Type your comment> @l3n01n3 said:

Can anyone help me with the credentials? I’ve found user, email, salt and passwd and it seems to be impossible to decode it…

Hint: crack them the way you found them … double check options you have :wink:

Guys i am really stuck
PM me for root hint:what is the way of creating C*** jobs to execute r***-***

UPDATE:
Rooted: it was a really awesome machine, and a special thanks to @DedStroK for his hints.

Got user on this machine pretty quick.

Root took me longer than it should have. i was missing something glaringly obvious. Just remember permissions are important!

Does the pass of user *** have more then 8 characters?

I’ve cloned dictonaries from github, tried a couple of them and now I’m stuck with bruteforcing the md5(salt:hash) since I don’t have adequate GPU power.

EDIT: thx for the PMs, found out that I misshandled hashcat and that it makes sense to look closer at scripts (and their build in capacities) before usage.

I’m stuck with root flag… I have launched p**y and I believe that i have seen all the relevant info but I don’t know how to use that…

Some pm with a little hint would be very useful

got user but stuck in the root. can someone explain me what to do with the p**y thing? or should i try other way? really appreciate the help.

nevermind…

Type your comment> @salt said:

On root, I ran pspy, noticed the non absolute path process, had some hints from ippsec’s lazy path video, tried that, non has given me a shell!

I’d appreciate some help here, I don’t want to skip this machine.

Actually, here you won’t get a root shell by the usual exploit ways. You’ll need to enumerate. First check the processes with the pspy tool ,watch closely for a process executed by root incl. the command line. Take note a dir in the PATH. Then craft your own script against a well known binary, copy it over to a dir where you can write in the PATH. Your script will be executed instead of the binary with root privileges doing whatever you want. Done and dusted. You are root :smile:

Type your comment> @heindycat said:

got user but stuck in the root. can someone explain me what to do with the p**y thing? or should i try other way? really appreciate the help.

No that’s all you need. Just run it and watch carefully what processes are executed as root (UID=0). Then you’ll spot one which you can actually exploit by writing your own script :smiley: