Jarvis

Type your comment> @iQimpz said:

"Hey you have been banned for 90 seconds, don’t be bad " for hours now… anyone know why Im getting banned forever it seems like. haven’t been able to do anything to the machine for hours.

Try stopping your automated tests and clear browser cache. In my case F5 (or Ctrl/Cmd+Shift+R) was enough to solve the problem.

Finally managed to get root. Great machine, managed to learn a lot out of it. However, since I am relatively new to all this , would someone be kind enough to PM me and explain why the last step works that way? No need to post any hints etc since the posts here have pretty much everything covered.

i got stuck on w-d.
i already found simpler.py but i didnt figure out how to get pepper shell please DM for help tks

I am horrendously stuck at user. Have shell at w**-d***, but have no idea how to use s******.py. Any help would be greatly appreciated!

Rooted!
Tips -
Initial Foothold - classic enum > OWASP top 10 > explore the options of your tool.
USER - search for a script with appropriate permissions > escape forbidden characters (there is one technique that isn’t forbidden)
ROOT - enum again > then focus in and correct your syntax

Any questions feel free to PM me!

Finally rooted!
Tips :-
User → Attract the shell by the power of dollar :stuck_out_tongue:
Root → gtfo i am not gonna tell you :stuck_out_tongue:
if you are still stuck at some point feel free to ping me up for hints or solution :slight_smile:

Could I have some help on getting s******.*y? I know that I have to use some special character but I don’t know which one

Awesome box, got hung up on stupid mistakes for a couple hours. Nothing in this guy is too complicated, just double check your enumeration and make sure to read all the other hints on here. Pretty straightforward path to root.

Spoiler Removed

r00ted!!

Foothold:
Enumerate and map an OWASP to 10 veteran

User:
Standard enum script will show you have been allocated the power! Now find out how to bypass the restrictions and unleash the beast!

Root:
Previous enum should show a powerful misconfiguration GTFO bins will help but steer clear of a well know writable dir as it doesn’t play nice

Rooted!

Thank you to @pmi for setting my sudo syntax staight :slight_smile:

Feel free to PM me if you need a hint.

Any idea about Failed to link unit: The name org.freedesktop.PolicyKit1 was not provided by any .service files ???

i tried the full path too but i get Failed to link unit: No such file or directory

What am i missing ?

EDIT: rooted thanks to @garffff for helping me correcting my syntax

Advice don’t enable the service from the /tmp directory because it gives that errors above try to enable it from the user directory.

Rooted. Leaned a lot about services. A TON of googling helped me

Great box, quite straight forward in hindsight.
Could someone PM me on the initial foothold. I think I did it “wrong”. People keep mentioning the hotel rooms, but I ignored them completely.

nvm. atleast kozak did it like me.

Wow this was tough… for a newb like me. I was able to figure out the creds on my own but they where not needed. Then I managed to upgrade my shell alone. But after that I needed hints and help Thank you to @sl0w and @garffff couldnt have done it without you and I did learn a lot of cool stuff as well as added good links to the folder… Will be studying more on these subjects…

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

Rooted - root was easier than user imo. I spent too much time on getting from initial access to user, felt like I was going mad at one point. Some good lessons learnt - nice box! DM if anyone wants help.

R0oTed !!!

Lot of hints on this forum, want root then read forum carefully…!!

root@jarvis:/root# id
id
uid=0(root) gid=0(root) groups=0(root)

Thank you @d0n601 , that gave me the last push to root.

"Tip for root: copy your public key into authorized_hosts and just ssh in. I was unable to modify the system administration stuff from my reverse shell. I ssh'd in properly, and the same exact steps worked perfectly."

I’ve only done a few boxes but so far this one has been the most fun one.

So I was able to get the user hash without actual getting a full shell for the user. Is that a valid own? Not sure if I can put how I did that on the board so DM for breakdown. Still new to this

Type your comment> @qmi said:

@voidhofer said:

sudo . Always try the most obvious first

Yep. That was my first attempt but it does not work without a password. Tried with multiple shells, also tried with different versions of python, still no luck.

For that command, AFAIR, you don’t need to specify password. It’s been some time ago when I did that box, but for me it did not require password. I managed to log on via SSH keys.Once you are user, you can try the following:

sudo -u p****r /var/www/Admin-Utilities/s*****r.py -p

after the prompt, specify the command you like to have run under the p****r user privs by using a special Bash shell magic :wink: . It’s in the Bash docs among how to run external commands as a subshell.

Hope this is not a spoiler

I’m using this method exactly, but any commands I run via the technique described at Infoblox NetMRI 7.1.4 Shell Escape / Privilege Escalation ≈ Packet Storm still end up running as w*-d* - tried nc, tried a revshell binary, even tried writing whois to a file. Insanely frustrated, not even clear on what to google at this point.