Jarvis

After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…

i’m stuck at the s***r. part of priv esc, how to escape the -p?

Got user yay; working on root

@Keroseno said:
After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…

Some ppl have already linked to a page which includes a way around it

https://dl.packetstormsecurity.net/1710-exploits/KL-001-2017-017.txt

Read the “proof of concept” section carefully

Type your comment> @dawnowler said:

Got user yay; working on root

@Keroseno said:
After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…

Some ppl have already linked to a page which includes a way around it

https://dl.packetstormsecurity.net/1710-exploits/KL-001-2017-017.txt

Read the “proof of concept” section carefully

Well, thank you very much, I was checking that before, but really, no idea… so I found other way much easier.

User: Got it, as someone already say… the power of dolar…
Root: I am CRAZY!!! I am doing all what I can with the s*******l but all what I get is a file with the information inside, also I saw that h*****.s***** is running but not loaded, and that is really strange, but is ridiculous how close I am and I can not get it… is incredible… Any hint or a gut to shot myself would be welcome.

Rooted. Enjoyable & very educational box. Thanks to @manulqwerty and @Ghostpp7

Rooted. hint for the root: If the power of gtof is not working, you need to change the command, change permisions on /root/ should be ok, I was trying “cat” all the time and so many hours to the bin… thanks to @rbt for the help with the user.

Rooted. Thanks to all, who posted on this forum. I has read this thread at each time, when have stuck, and each time find the answer.

Seems, like this box have several solutions. My was a bit dirty, because i noob, but it’s work.
Root reverse shell, made by user reverse shell, made by stable another user reverse shell, made by unstable another user reverse shell.

###HInts:
Foothold: OWASP 10. I was surprised, when i see power of tool for exploitation this vulun. os-shell for example.

User: dolar, if not worked, look closer what rights you gives and who.
Root: Someone on this machine at your service.

Hope it’s not a spoiler.

Stuck on getting root flag. Unable to link service due to “Invalid Argument”. Anyone can give me a nudge?

I am being asked for a password even it says I don’t need it, would someone mind helping me?

Finally Rooted. Here are my hints:

Initial hole:

  1. Enumerate as much as u can. You’ll find a door in front of a data container and a foothole from the front page which you’ll get some keys to open the door.
  2. Observe the version of the container. Google it and you’ll get a reverse shell.

User:
Honestly, this made me brain-f*cked?‍♂️. However, when you enumerate enough, you’ll find a neighborhood. Read it carefully and you’ll know how to get the user.

Root:
It’s a little bit tricky. Basic enumeration will help you find out a core-level application that you can run it directly. GTFO will help you.

Conclusion: I learned a lot from this box. Nice box!

rooted. very fun box. thanks for all the help

Need some hints for this, I’m using sqlmap on the r****s.php?cod=1, trying to use this to dump the tables or get a shell. Yet everytime I run the tool I get banned for 90 seconds and the scan won’t complete, any way around this? Or do I have to do it manually?

I am having extreme difficulty with this box and the shell I spawn not properly issuing commands. I have done the whole python and ctrl+z magic to elevate to fully functional shell then I move onto the next step for p***r and now when I issue a simple command such as ‘ls’ it doesn’t do anything. I have been stuck on this ■■■■ issue for a week now and cant seem to get anywhere. I have tried numerous methods including socat and retrying various shell methods and still run into the same issue.

This is your second shell, isn’t it? Use it to create a third one that can be handled in the usual way.

Rooted @ Thanks zachosk for your help was stuck at root

Rooted …finally… before the box gets retired lol. First time using this specific gtb

@SpicyWeasle said:
I am having extreme difficulty with this box and the shell I spawn not properly issuing commands. I have done the whole python and ctrl+z magic to elevate to fully functional shell then I move onto the next step for p***r and now when I issue a simple command such as ‘ls’ it doesn’t do anything. I have been stuck on this ■■■■ issue for a week now and cant seem to get anywhere. I have tried numerous methods including socat and retrying various shell methods and still run into the same issue.

Try sending your -da shell to another listener on your attacker machine as p**r

Hi, I am a little stuck. I found some creds and they work.
in the webapp is where i am stuck trying to figger uot how to spawn a shell.
pls advice. may a ippsec vid i can look at?

Spoiler Removed

Use Google and find a page that contains one more character…