• Just rooted the box. Took me awhile to do so.

    Initial Access: I was on the right track but tried to rush it so I made a oopsie and didn't notice my mistake for at least 1,5 hours.

    User: I needed a hint on this. I hate php and can't read it very well. My cryptonite. technique wise it's a rather basic thing. You just need to see where you have to deploy this basic technique.

    Root: Basic enum gave the vector away in seconds. After reading the source and "the other source" I just tried it and out "things" in there. Took me about 10 or 15 minutes for root.


  • I'm very Noob, any tips for a shel? Thank you

  • Type your comment> @LucSec said:

    I'm very Noob, any tips for a shel? Thank you


  • Wow this c****_a*****.p** really has me stumped. Can I get a hint or something to reference?

  • Alright, finally got root! Not too hard, just try, try, try again.
    I was spoiled the user flag, so if anyone would be so kind to PM me how the c****_a*****.p** worked i would really appreciate it!

  • wow, box is crawling at turtle speed, takes me at least 5 minutes just to change directories...wth

  • do we need to alter the code of C****_a*****.P**? i dont know php, but i think i understand what its doing, i just dont understand what it has to do with gettting the user flag. What am i missing??

  • edited September 2019

    You know it really fucking sucks coming into this room for a hint and seeing 40,000 comments all saying "iT's So SiMpLe AnD sTrAiGhTfOrWaRd". Why do people come in here just to be pricks?

    Some of us can't read PHP very well and get sick of looking up every single function, so it isn't "simple and straightforward" for us.

  • edited September 2019

    can someone dm for root assist. certain im in right place w/ vector but not sure why getting iface errors.

    Edit: nvm rooted

  • Can I get a nudge for user flag? I have a shell, and see the c********.*** file - don't know what to do from here (I've tried too many things to mention here).

  • edited September 2019

    Ok when I run c****_******.p** I see interesting actions that exist in the /v../.../..../up..... folder, but the names are something that is not touchable, and I am thinking I need to add my own. I HAVE NO IDEA how to go about this! Any assistance would be fabs!
    Thanks All!

    EDIT: USER Completed: For those having issues, TOUCH

  • edited September 2019


  • Can someone give me a nudge on the privesc to user? Based on what has been said in the forum already, I've been looking at c****_a*****.p** and can see the frequency with which it runs, I can't seem to modify the file however, and am not sure how to proceed.

  • edited September 2019

    For those stuck on a PHP-script, i would like to add that you don't need to be able to read/know PHP in order to spot the vulnerability, as the actual flaw in the script is not PHP-specific.

    Do some targeted thinking: I want to smuggle some command in, where could i possibly do that?

    Press F to give respect

  • Finally rooted. Turns out i wasn't using sudo with the correct script xD;
    Some takeaways:
    -Do use sudo
    -Use absolute path
    -You don't need another reverse shell
    -Try replicating the $y=$x scenario in your shell.

    PM for help.

    Big thanks to @cyberpathogen and @3DxHex

    For asking help, please describe what you have tried so far, so i don't spoil too much.
    If you believe i was able to help, please provide feedback by giving respect:

  • edited September 2019

    is there a level after root that I'm missing, or is the root.txt flag missing?

    edit: flag is there today, guessing it was a temporary issue. this one was a lot of fun, thanks!

  • please don't run any PHP script suing a***he user, by doing this you are ruining/ spoiling the server. I have one hour trying something and got the same wrong result because of this.

    Try!ng Hard3r, N3v3r G!v3Up.

  • i cant get my shell to last more than a minute at a time, near impossible to do anything..very frustrating

  • For all that are thinking they need to actually edit the php script within the interesting application for USER. Stop trying to change the php code, you dont have permissions to do it anyways. TOUCHING is the way to go, just remember there is a certain way that we have to TOUCH 'things to have them work the way we want them to'

  • HINT for USER : Look at the directory that the interesting application pulls from and then follow my last post! :-) If this is a spoiler, please remove it!

  • Hints for both user and root:

    This is a fun box; and the exploits all seemed to be a similar theme which I enjoyed. Especially coming from a mostly Windows background.

  • when you spent like 20 mins on reading networking scripts to find out how the argument parsing is done... and then wtffff moment :)
    thanks to ippsec, now i can finally say - easy stuff, rooted :) thanks for teaching me, master :)

  • Stuck on c****_a*****.p**, any nudge would be appreciated :smile:

  • Rooted! Thanks @guly for an outstanding learning experience.

    Hint for USER: You dont need to edit the special _.*** you just need to look over the source and see where its pulling from. Once you get that you can 'touch' your way to USER.

    Hint for ROOT: Do your best to not overcomplicate as I did. You dont necessarily need to understand the source of the special . but just analyze the feedback and base your next moves off that feedback! Kentucky Windage

    FEel free to DM me for hints. I had a blast on this box and learned a TON.

  • Hello everyone!
    For the moment I entered with a user shell thanks to the help of some users and for comments in the forum! I will try to go ahead following your suggestions! Thank you all!
    Great project!

  • Type your comment> @W3st1 said:

    Stuck on c****_a*****.p**, any nudge would be appreciated :smile:

    Create a file and wait!

    Try!ng Hard3r, N3v3r G!v3Up.

  • Intercepted someones code injection > @DrD3ath said:

    Hints for both user and root:

    This is a fun box; and the exploits all seemed to be a similar theme which I enjoyed. Especially coming from a mostly Windows background.

    thaaank u

  • Finally owned this box! Pm me for nudges

  • edited September 2019

    hi, stuck on user. Found U***.php but i cant seem to do anything with it :/

  • edited September 2019

    Rooted this box! You do not need to know how the code works, just try to put basic command & look at the output, you will figure out how to get PrivEsc.

    But I really appreciate if someone could explain me why it worked!

Sign In to comment.