Craft

@laszlo said:

Where the application stores data ? What binary is not available inside the docker ? Please check settings.py :wink:

autsch… this is my third machine, but with each one I get more and more the impression that the most important thing is to go through every file (shell) and page (web) very closely…

so far most things have been just right in front of me

@laszlo said:

Don’t overthink!

My head is slowly approaching the size of an big pumpkin, pivoting around in the d…-c…

@kievcast said:

I’ve tried doing it through c**l, b*p and a py script none work and i’m beginning to lose my mind -_-’

I hate when that happens.

Before you do… lately I got the impression that on the free vpn nodes is too much traffic, changed to VIP and my exploit worked.

user pwned

edit: rooted

Rooted.

Tnx to @gorg and @S7uXN37 for there help.

Base

--> Read the API code and enumerate everything especially the git log.

Shell

--> Use the data collected from the previous enumeration and craft a payload for a shell (try searching for Pyhton vulnerabilities).

User

--> More enumeration this time using a running service.

Root

--> Documentations will aide you.

Have a nice hack

Just rooted the box :smiley: User was a very nice ride, as for root it was just a read through the documentation of a service, much easier. If you are stuck feel free to PM me with your current progress for hints

Finally! That. Was. Awesome! Thanks, folks, for every hint you left. Still cannot believe that I’ve lost so much time moving in the wrong direction, but anyway it gave me the knowledge how to obtain root later

User

No need to brute. No need to escape. You can get all prerequisites just from the source code.
It might be easier to get shell if you set up app locally and hack it a bit to bypass t*** validation (Hint: You cannot compare NoneType and int)
Then you may suffer with a minimalistic editor (which was funny though) or get yourself a proper shell.
Once you’ve got all c***, you’re in ten minutes to user.

Root

It’s easier than it seems to be. Just study infrastructure.

btw, does anyone know why hydra returns false positives for g*** along with the correct results?

Rooted. Extraordinary box with real-world experience. There’s so much fun in this process. User is much harder than root in my opinion. Feel free to PM if you need a nudge.

Rooted. That box is awesome.

if anyone could pm me some help with the e*** payload it would be much appreciated i cant seem get past “An unhandled exception occurred.”

Rooted, thanks for the nudges. Total brainfart for me. stuck hours on a typo, but that speeded up the few minutes to root after user :slight_smile:

Rooted,
What an awesome box. Made super fun. Took me 2 days for the user though.
Root was fairly simple in comparison.
Read what you have and look it up

i have root permissions but i can’t see the user - flag and root - flag! What am I doing wrong? Thanks.

Rooted! Very nice box and I managed to do it without any help. The hints in this forum were enough to get me through. My RCE was a bit of a cludge as I didn’t know the language but it worked eventually.

what a nice box. finally rooted :slight_smile:

feel free to pm me at telegam @kod0kk for any nudge/hint

rooted ! clearly it’s my new favorite box ! A biiig thanks to the owner !!

rooted. Stuck on root due to somebody who got root before on this instance changed permissions (again!!! - I must take a habit reboot instance if stuck %) . Rebooted and got root. Hint from @tomteng helped realize that I get lost again %)

HI, Need a hint here … I am stuck in the jail. I got a reverse shell using the script and creds. Am in the d****** . I can enumerate the database but only retrieve one user which is the creds from before. Have found db creds but they don’t work on anything (except accessing the db with a script) There is one other pass which I have used with other users but nothing. Can’t find any hidden keys. If i go out and use original script with creds i don’t get t**** or connection.

Finally rooted, It was tough for me, but learned many things. for any hint I can help, PM if you need any help

@chiefgreek said:

HI, Need a hint here … I am stuck in the jail. I got a reverse shell using the script and creds. Am in the d****** . I can enumerate the database but only retrieve one user which is the creds from before.

Hi, in the jail you’ll have to find a way to reveal other users’ creds besides d****h. Read the Python code, it’s a bit tricky. You’ll have to modify one line in the script to retrieve additional data from the DB. You’ll need somebody else’s creds in order to step ahead.

Let me answer to this post, as this was most disturbing comment that provided no help in whatsoever finding the flags.

@laszlo said:

It’s my 2nd favourite box !

Quick tips:

  1. Read the source code (leakage).
    Actually, it’s not a data leakage. It is a well-known function that can be exploited and can give you a reverse shell.
  1. Use python3 (requests) to automate 2 things. Strange responses ? Take into account the boolean logic :wink:
    What? Never mind…
  1. Inside: enumerate with python3 (8 lines of code).
    In fact, more than enumeration is needed: find the line and update the code in order to retrieve more information you need. Credentials.
  1. Use the data from 3. Don’t overthink!
    Useless comment. Of course you will need the data you have found in the previous step to carry on.
  1. Grab user.txt
    Again, useless to say. Actually, you will have to SSH to the box after you have found the private key of the right user. The obtain the private key, it will require you to properly authenticate to the Git repo (d***** user won’t have it).
  1. Enumerate, use the documentation, login as root, grab root.txt !
    Naturally as always, but too little said. From user shell, you’ll have to find a secure technology used on the server in a container - utilising OTP - and successfully extract data from it. That helps you to gain root access. You have to know how to use it, if not, you 'd better look it up. After that log on as root and get the flag.