Craft

i have root permissions but i can’t see the user - flag and root - flag! What am I doing wrong? Thanks.

Rooted! Very nice box and I managed to do it without any help. The hints in this forum were enough to get me through. My RCE was a bit of a cludge as I didn’t know the language but it worked eventually.

what a nice box. finally rooted :slight_smile:

feel free to pm me at telegam @kod0kk for any nudge/hint

rooted ! clearly it’s my new favorite box ! A biiig thanks to the owner !!

rooted. Stuck on root due to somebody who got root before on this instance changed permissions (again!!! - I must take a habit reboot instance if stuck %) . Rebooted and got root. Hint from @tomteng helped realize that I get lost again %)

HI, Need a hint here … I am stuck in the jail. I got a reverse shell using the script and creds. Am in the d****** . I can enumerate the database but only retrieve one user which is the creds from before. Have found db creds but they don’t work on anything (except accessing the db with a script) There is one other pass which I have used with other users but nothing. Can’t find any hidden keys. If i go out and use original script with creds i don’t get t**** or connection.

Finally rooted, It was tough for me, but learned many things. for any hint I can help, PM if you need any help

@chiefgreek said:

HI, Need a hint here … I am stuck in the jail. I got a reverse shell using the script and creds. Am in the d****** . I can enumerate the database but only retrieve one user which is the creds from before.

Hi, in the jail you’ll have to find a way to reveal other users’ creds besides d****h. Read the Python code, it’s a bit tricky. You’ll have to modify one line in the script to retrieve additional data from the DB. You’ll need somebody else’s creds in order to step ahead.

Let me answer to this post, as this was most disturbing comment that provided no help in whatsoever finding the flags.

@laszlo said:

It’s my 2nd favourite box !

Quick tips:

  1. Read the source code (leakage).
    Actually, it’s not a data leakage. It is a well-known function that can be exploited and can give you a reverse shell.
  1. Use python3 (requests) to automate 2 things. Strange responses ? Take into account the boolean logic :wink:
    What? Never mind…
  1. Inside: enumerate with python3 (8 lines of code).
    In fact, more than enumeration is needed: find the line and update the code in order to retrieve more information you need. Credentials.
  1. Use the data from 3. Don’t overthink!
    Useless comment. Of course you will need the data you have found in the previous step to carry on.
  1. Grab user.txt
    Again, useless to say. Actually, you will have to SSH to the box after you have found the private key of the right user. The obtain the private key, it will require you to properly authenticate to the Git repo (d***** user won’t have it).
  1. Enumerate, use the documentation, login as root, grab root.txt !
    Naturally as always, but too little said. From user shell, you’ll have to find a secure technology used on the server in a container - utilising OTP - and successfully extract data from it. That helps you to gain root access. You have to know how to use it, if not, you 'd better look it up. After that log on as root and get the flag.

I think I have all the important information to get a reverse shell. I am able to make modifications to the DB without any issues but I am unable to figure the right shell syntax. Not a pro with python so a little bit of help would be great. Thank you!

edit: Found my mistake.

Finally rooted. Was a great box and it sensed like a real world scenario. Loved it! Fell free to Pm if you need hints.

Really nice box, had a great time.

If you are stuck somewhere, don’t hesitate to ask for a nudge - I’m happy to assist.

Edit: Overlooked totally stupid open door … rooted

Spoiler Removed

Nice box, I don’t think its one ofmy favorites though. An intermediate level box (at least for user). Too much RTFM, although that is pretty much a preresequite for infosec, I find my self speed reading and missing stupid, obvous stuff lol. I’ll give this 4 stars, as it is straightforward, although if you don’t read everything carefully it can turn into a head banger. Some tips so others don’t have to scroll through the thread everytime they need some ideas/help:

Initial Foothold:
Probably the hardest step on this machine. But don’t worry its not that difficult. First like everyone else is saying make sure you enumerate the subdomains, completely, I mean every single commit and line of code. You will see two things that should stand out. One will help with getting a token for the api (look at the code if you’re getting syntax errors when trying to authorize), the other is a naughty programming practice that has something to do with accepting user input. After that its just about making sure you’re payload is working and formatted correctly. If people are having trouble with a nc shell that keeps dropping, ask yourself what symbol/command in BASH can open up a new thread/process in the background?

User:
Hmm, sort of a headbanger, but actually straightforward if you don’t rush things like I did. You actually don’t have to enumerate much. Its also basically about thinking how to leverage running a database query using the files and programs available to you. Also if you find some loot, don’t be like gog and magog and throw it away ;). If you retrace your steps and keep your loot, you’ll find more loot by enumerating more, maybe even a key to the casshtle.

Root:
Easiest, I shouldnt need to give anyone any tips here. Its best to read the --help of an interesting service that isn’t run by defualt on *nix machines.

GL!

I’ve actually rooted this a while back I’ve just come back to say that ever since then this has been one of my favorites ever. IMO it’s incredibly realistic, I can tell, as I’ve been working with the exact tools for the past year. So yeah, really congrats to the maker, for me one of the bests, nicely put together, modern, realistic box :slight_smile:

I enjoyed this box, it was realistic and straightforward and I always enjoy using python. I did waste a lot of time because I messed up when trying to sh with the i_r**, but other than that it was straightforward.

Tips:

  • If you’re struggling getting a reverse shell, first try get any connection to your machine then build on it from there.
  • Try lots of different types of reverse shell (pentestmonkey) until one works.
  • Once you’ve got a shell you don’t have to look very far to find the way to break out.
  • Once you have user, use your new creds to take a good look through gogs. Find a way you can log in as root.

Feel free to PM for more help.

Type your comment> @MetinYigit said:

hi everyone, i am stuck in user. i have found ev** funct. and i have edited te**.py file for get reverse shell. but how can i trigger this file for take shell ? any hint ? thanks

EDIT: GOT ROOTED! THANKS TO EVERYONE :slight_smile:

Finally rooted ! Very realistic box, learned a lot.
Feel free to pm me if you are stuck !

I am stuck at the jail. Already got the credentials, all three of them, but I have no idea where to use them. Already tried SSH and looking through their gogs repos, but nothing worked. Can Someone please give me a hint?