Jarvis

Hi to all. Got a user. Got a stable shell. I can not get root access. Please help me. I read all the tips but it doesn’t work. PM me please.

Can anyone explain to me why when i try to run the script with s*** -u p****r it asks for w**-***a password? i’ve tried upgrading shells but still get the same thing…

I start by getting a restricted shell by s****p tool and i get the os-shell, after that get run netcat stuff to get a shell, and then get a tty with python command (python -c ‘import pty; pty.spawn(“/bin/bash”)’

but no matter what, I still get a prompt asking for w**-a password when trying to run the script with s -u p****r.

please if someone knows why this is happening please pm me i’m gonna go crazy

I am having a lot of trouble with the initial foothold. I have searched all the rooms but found nothing. I read through all the posts in this forum and I am still stuck. I tried sql injection but got no where. Can someone PM and give me a hint?

Rooted. Very interesting box. If you need some help, feel free to PM me.

Hello! I’m working on Jarvis and I’m having trouble getting a shell as pr from the s**.y script. I wrote a script that makes a netcat connection to my machine and call it like using the $ method when the s*****.y asks for input. I get a shell on my machine, but as w*-d***. How can I make it run as pr? I thought running s**.y with sudo before might work, but it asks for w*-d*** password. Any hints will be much appreciated

Type your comment> @GlenRunciter said:

Can anyone explain to me why when i try to run the script with s*** -u p****r it asks for w**-***a password? i’ve tried upgrading shells but still get the same thing…

I start by getting a restricted shell by s****p tool and i get the os-shell, after that get run netcat stuff to get a shell, and then get a tty with python command (python -c ‘import pty; pty.spawn(“/bin/bash”)’

but no matter what, I still get a prompt asking for w**-a password when trying to run the script with s -u p****r.

please if someone knows why this is happening please pm me i’m gonna go crazy

U have to specify the script path after s*** -u p****r

root@jarvis:/#
Very interesting box.
I learned a lot of new methods.

Thanks to @21y4d for giving me some little guides :slight_smile:

FootHold : Pretty easy, Find the “Data Container” sub-directory in the website then think of the tools a script kiddie would use to exploit it to get the data. After that think of the ways you could get yourself a ‘black window’

User : Find the script and think of what would happen if “the user input function returned different data”? Google will help you with this quotation!

Root : Simple Enumerating, Focus in the “interesting” file/configuration and then create a new job for it … simply gtfo :stuck_out_tongue:

After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…

i’m stuck at the s***r. part of priv esc, how to escape the -p?

Got user yay; working on root

@Keroseno said:
After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…

Some ppl have already linked to a page which includes a way around it

https://dl.packetstormsecurity.net/1710-exploits/KL-001-2017-017.txt

Read the “proof of concept” section carefully

Type your comment> @dawnowler said:

Got user yay; working on root

@Keroseno said:
After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…

Some ppl have already linked to a page which includes a way around it

https://dl.packetstormsecurity.net/1710-exploits/KL-001-2017-017.txt

Read the “proof of concept” section carefully

Well, thank you very much, I was checking that before, but really, no idea… so I found other way much easier.

User: Got it, as someone already say… the power of dolar…
Root: I am CRAZY!!! I am doing all what I can with the s*******l but all what I get is a file with the information inside, also I saw that h*****.s***** is running but not loaded, and that is really strange, but is ridiculous how close I am and I can not get it… is incredible… Any hint or a gut to shot myself would be welcome.

Rooted. Enjoyable & very educational box. Thanks to @manulqwerty and @Ghostpp7

Rooted. hint for the root: If the power of gtof is not working, you need to change the command, change permisions on /root/ should be ok, I was trying “cat” all the time and so many hours to the bin… thanks to @rbt for the help with the user.

Rooted. Thanks to all, who posted on this forum. I has read this thread at each time, when have stuck, and each time find the answer.

Seems, like this box have several solutions. My was a bit dirty, because i noob, but it’s work.
Root reverse shell, made by user reverse shell, made by stable another user reverse shell, made by unstable another user reverse shell.

###HInts:
Foothold: OWASP 10. I was surprised, when i see power of tool for exploitation this vulun. os-shell for example.

User: dolar, if not worked, look closer what rights you gives and who.
Root: Someone on this machine at your service.

Hope it’s not a spoiler.

Stuck on getting root flag. Unable to link service due to “Invalid Argument”. Anyone can give me a nudge?

I am being asked for a password even it says I don’t need it, would someone mind helping me?

Finally Rooted. Here are my hints:

Initial hole:

  1. Enumerate as much as u can. You’ll find a door in front of a data container and a foothole from the front page which you’ll get some keys to open the door.
  2. Observe the version of the container. Google it and you’ll get a reverse shell.

User:
Honestly, this made me brain-f*cked?‍♂️. However, when you enumerate enough, you’ll find a neighborhood. Read it carefully and you’ll know how to get the user.

Root:
It’s a little bit tricky. Basic enumeration will help you find out a core-level application that you can run it directly. GTFO will help you.

Conclusion: I learned a lot from this box. Nice box!

rooted. very fun box. thanks for all the help

Need some hints for this, I’m using sqlmap on the r****s.php?cod=1, trying to use this to dump the tables or get a shell. Yet everytime I run the tool I get banned for 90 seconds and the scan won’t complete, any way around this? Or do I have to do it manually?

I am having extreme difficulty with this box and the shell I spawn not properly issuing commands. I have done the whole python and ctrl+z magic to elevate to fully functional shell then I move onto the next step for p***r and now when I issue a simple command such as ‘ls’ it doesn’t do anything. I have been stuck on this ■■■■ issue for a week now and cant seem to get anywhere. I have tried numerous methods including socat and retrying various shell methods and still run into the same issue.