Wow this was tough… for a newb like me. I was able to figure out the creds on my own but they where not needed. Then I managed to upgrade my shell alone. But after that I needed hints and help Thank you to @sl0w and @garffff couldnt have done it without you and I did learn a lot of cool stuff as well as added good links to the folder… Will be studying more on these subjects…
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
Rooted - root was easier than user imo. I spent too much time on getting from initial access to user, felt like I was going mad at one point. Some good lessons learnt - nice box! DM if anyone wants help.
Thank you @d0n601 , that gave me the last push to root.
"Tip for root: copy your public key into authorized_hosts and just ssh in. I was unable to modify the system administration stuff from my reverse shell. I ssh'd in properly, and the same exact steps worked perfectly."
I’ve only done a few boxes but so far this one has been the most fun one.
So I was able to get the user hash without actual getting a full shell for the user. Is that a valid own? Not sure if I can put how I did that on the board so DM for breakdown. Still new to this
Yep. That was my first attempt but it does not work without a password. Tried with multiple shells, also tried with different versions of python, still no luck.
For that command, AFAIR, you don’t need to specify password. It’s been some time ago when I did that box, but for me it did not require password. I managed to log on via SSH keys.Once you are user, you can try the following:
after the prompt, specify the command you like to have run under the p****r user privs by using a special Bash shell magic . It’s in the Bash docs among how to run external commands as a subshell.
Hope this is not a spoiler
I’m using this method exactly, but any commands I run via the technique described at Infoblox NetMRI 7.1.4 Shell Escape / Privilege Escalation ≈ Packet Storm still end up running as w*-d* - tried nc, tried a revshell binary, even tried writing whois to a file. Insanely frustrated, not even clear on what to google at this point.
Rooted. Very fun box. I spent 2-3 days for initial foothold. I never used s*l**p before, so on one of the pages I got a positive result and to be honest I don’t know why the tool didn’t work on other pages but worked on that one, may be someone can explain me because I think I am weak at web part of the game. After that was easy and straight forward. Thanks to the creator of the machine.
If you keep getting a shell under w-d, dont use the python command…just go straight for the script. I lost couple of hours because of this since it was running the ‘python’ command under pepper but not the actual script.
Rooted. Box is pretty straightfoward. Thanks to @darkkoan for reminding me to read enum results very thoroughly.
I had one issue though. when i got into **pr, I could not see the output of my terminal commands. Had the create another nc session. Then, in that nc session, after getting interactive shell, I could not run vi or nano properly. Can anyone help me understand this? Had to write files using cat
Hey guys, I have been searching the rooms for quite some time and haven’t gotten any useful information. What am I looking for? A ZAP scan showed me there is a possible sql injection vulnerability, but nothing has returned anything useful. Any help is appreciated.
Can anyone explain to me why when i try to run the script with s*** -u p****r it asks for w**-***a password? i’ve tried upgrading shells but still get the same thing…
I start by getting a restricted shell by s****p tool and i get the os-shell, after that get run netcat stuff to get a shell, and then get a tty with python command (python -c ‘import pty; pty.spawn(“/bin/bash”)’
but no matter what, I still get a prompt asking for w**-a password when trying to run the script with s -u p****r.
please if someone knows why this is happening please pm me i’m gonna go crazy
I am having a lot of trouble with the initial foothold. I have searched all the rooms but found nothing. I read through all the posts in this forum and I am still stuck. I tried sql injection but got no where. Can someone PM and give me a hint?