Took me about 12 actual hours of work to fully root and mostly thanks to everyone who suggested hints in the forums.
User was interesting, ended up building my own server app to test the payload. Root was straightforward but that is to be expected in the real world as well.
Root took 10 seconds after getting user… perhaps it’s because I thought learning the tool was required for getting user since I didn’t see the *** key right away in the repo…
can someone throw me a hint on the RCE syntax for the initial foothold? I’m able to authenticate and verify that I can create new entries. I’ve even setup a local script to make sure my syntax was right and that an rshell inside the e*l function works locally but whenever I try to apply it to the box I either get that my abv is too high or an unhandled exception.
I’ve tried doing it through c**l, b*p and a py script none work and i’m beginning to lose my mind -_-’
Where the application stores data ? What binary is not available inside the docker ? Please check settings.py
autsch… this is my third machine, but with each one I get more and more the impression that the most important thing is to go through every file (shell) and page (web) very closely…
so far most things have been just right in front of me
Just rooted the box User was a very nice ride, as for root it was just a read through the documentation of a service, much easier. If you are stuck feel free to PM me with your current progress for hints
Finally! That. Was. Awesome! Thanks, folks, for every hint you left. Still cannot believe that I’ve lost so much time moving in the wrong direction, but anyway it gave me the knowledge how to obtain root later
User
No need to brute. No need to escape. You can get all prerequisites just from the source code.
It might be easier to get shell if you set up app locally and hack it a bit to bypass t*** validation (Hint: You cannot compare NoneType and int)
Then you may suffer with a minimalistic editor (which was funny though) or get yourself a proper shell.
Once you’ve got all c***, you’re in ten minutes to user.
Root
It’s easier than it seems to be. Just study infrastructure.
btw, does anyone know why hydra returns false positives for g*** along with the correct results?
Rooted. Extraordinary box with real-world experience. There’s so much fun in this process. User is much harder than root in my opinion. Feel free to PM if you need a nudge.
Rooted,
What an awesome box. Made super fun. Took me 2 days for the user though.
Root was fairly simple in comparison.
Read what you have and look it up
Rooted! Very nice box and I managed to do it without any help. The hints in this forum were enough to get me through. My RCE was a bit of a cludge as I didn’t know the language but it worked eventually.
rooted. Stuck on root due to somebody who got root before on this instance changed permissions (again!!! - I must take a habit reboot instance if stuck %) . Rebooted and got root. Hint from @tomteng helped realize that I get lost again %)