Jarvis

Wow this was tough… for a newb like me. I was able to figure out the creds on my own but they where not needed. Then I managed to upgrade my shell alone. But after that I needed hints and help Thank you to @sl0w and @garffff couldnt have done it without you and I did learn a lot of cool stuff as well as added good links to the folder… Will be studying more on these subjects…

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

Rooted - root was easier than user imo. I spent too much time on getting from initial access to user, felt like I was going mad at one point. Some good lessons learnt - nice box! DM if anyone wants help.

R0oTed !!!

Lot of hints on this forum, want root then read forum carefully…!!

root@jarvis:/root# id
id
uid=0(root) gid=0(root) groups=0(root)

Thank you @d0n601 , that gave me the last push to root.

"Tip for root: copy your public key into authorized_hosts and just ssh in. I was unable to modify the system administration stuff from my reverse shell. I ssh'd in properly, and the same exact steps worked perfectly."

I’ve only done a few boxes but so far this one has been the most fun one.

So I was able to get the user hash without actual getting a full shell for the user. Is that a valid own? Not sure if I can put how I did that on the board so DM for breakdown. Still new to this

Type your comment> @qmi said:

@voidhofer said:

sudo . Always try the most obvious first

Yep. That was my first attempt but it does not work without a password. Tried with multiple shells, also tried with different versions of python, still no luck.

For that command, AFAIR, you don’t need to specify password. It’s been some time ago when I did that box, but for me it did not require password. I managed to log on via SSH keys.Once you are user, you can try the following:

sudo -u p****r /var/www/Admin-Utilities/s*****r.py -p

after the prompt, specify the command you like to have run under the p****r user privs by using a special Bash shell magic :wink: . It’s in the Bash docs among how to run external commands as a subshell.

Hope this is not a spoiler

I’m using this method exactly, but any commands I run via the technique described at Infoblox NetMRI 7.1.4 Shell Escape / Privilege Escalation ≈ Packet Storm still end up running as w*-d* - tried nc, tried a revshell binary, even tried writing whois to a file. Insanely frustrated, not even clear on what to google at this point.

Rooted. Very fun box. I spent 2-3 days for initial foothold. I never used s*l**p before, so on one of the pages I got a positive result and to be honest I don’t know why the tool didn’t work on other pages but worked on that one, may be someone can explain me because I think I am weak at web part of the game. After that was easy and straight forward. Thanks to the creator of the machine.

If you keep getting a shell under w-d, dont use the python command…just go straight for the script. I lost couple of hours because of this since it was running the ‘python’ command under pepper but not the actual script.

jarvis seems down anybody facing same issue ?? or its my internet

What an awesome box this was. Getting user was pretty straight forward if properly enumerated. However, the Root part is bit tricky.

Feel free to knock me for Hints/nudges :slight_smile:

Rooted. Box is pretty straightfoward. Thanks to @darkkoan for reminding me to read enum results very thoroughly.
I had one issue though. when i got into **pr, I could not see the output of my terminal commands. Had the create another nc session. Then, in that nc session, after getting interactive shell, I could not run vi or nano properly. Can anyone help me understand this? Had to write files using cat

Could someone walk me through the beginning of the box please? Feel free to shoot me a PM. Thanks :slight_smile:

A taff box! My first Medium Box actually and finally rooted with a lot of help my new fried @Freak2600… thank you man.

Type your comment> @vider said:

A taff box! My first Medium Box actually and finally rooted with a lot of help my new fried @Freak2600… thank you man.

Anytime.

scanned the box more than 10 times not getting a meaningful result, is there a special way of scanning???

Hey guys, I have been searching the rooms for quite some time and haven’t gotten any useful information. What am I looking for? A ZAP scan showed me there is a possible sql injection vulnerability, but nothing has returned anything useful. Any help is appreciated.

Hi to all. Got a user. Got a stable shell. I can not get root access. Please help me. I read all the tips but it doesn’t work. PM me please.

Can anyone explain to me why when i try to run the script with s*** -u p****r it asks for w**-***a password? i’ve tried upgrading shells but still get the same thing…

I start by getting a restricted shell by s****p tool and i get the os-shell, after that get run netcat stuff to get a shell, and then get a tty with python command (python -c ‘import pty; pty.spawn(“/bin/bash”)’

but no matter what, I still get a prompt asking for w**-a password when trying to run the script with s -u p****r.

please if someone knows why this is happening please pm me i’m gonna go crazy

I am having a lot of trouble with the initial foothold. I have searched all the rooms but found nothing. I read through all the posts in this forum and I am still stuck. I tried sql injection but got no where. Can someone PM and give me a hint?

Rooted. Very interesting box. If you need some help, feel free to PM me.