Wall

I managed to get user, but unsure how to escalate to root now…

.

Rooted. Man, I have mixed feelings about this box. On the one hand there were some parts of this that were needlessly/unrealistically annoying, like the 403 errors during the user portion. On the other hand I learned some things and found new ways around filters because of this box.

Can some give me a tip/PM for implementation of the priv escalation. I think I am on the right way. But the sticky cve thing don’t let me pop a root shell. When I try to reverse shell I can’t redirect stdin/out for known reasons.

Type your comment> @cr0ssbon3s said:

Rooted. Man, I have mixed feelings about this box. On the one hand there were some parts of this that were needlessly/unrealistically annoying, like the 403 errors during the user portion. On the other hand I learned some things and found new ways around filters because of this box.

Any hint to avoid the 403 on the user phase (m***.g**.p**)?

Finally rooted ! . i have gain the knowledge on Cen****n and WAF filters.

Thank you guys for providing the hints @r0xas and @zachosk

The previous comment was meant for the postman box, sorry about that. I hope I didn’t throw anyone off. My previous post has nothing to do with this box at all. Here - http://urfsecurity.info/posts/linuxprivesc/ please remove if this is a spoiler.

I’ve already modified many times the script, the standard one didn’t get the right token. But requests to m+++.g++.p++ always get 403.

NVM got it. First time it didn’t work… PM me if you need help.

İ found c**** , now should I brute Force ? Hint me pls

Thanks to @askar for a great box. Learned a lot.

Guys, getting the reverse shell is pain, found the CVE exploit and modified it but still cant get response in my ncat listener, im totally stuck. help me please.

I just uploaded a new version of the exploit on Github. It should make debugging and editing the script less painful.

Can’t post the link here b/c spoilers, but it should be easy to find if you know what you’re looking for.

Overall, I really didn’t like this machine. It was all about the things I hate most in CTF.

Negatives:

  • Lame CTF tricks to find foothold (i.e. what you do at m********g)
  • Web-app brute-forcing. It might not take long to crack but it’s still a pain that doesn’t really add much to the machine.
  • Sloppy exploit code. Unfortunately this is realistic, but I hate when exploits don’t use functions, or aren’t written for readability, or have hard-coded values that make the code break easily.
  • Unrealistic defense. In this case, it seems like the app’s defense is written specifically to make using the exploit a pain. Realistically, I think an admin who knows about this exploit would update to a version that’s not vulnerable. I also think the 403 code is misused and deliberately misleading, but admittedly an admin trying to prevent an exploit wouldn’t want to help attackers debug…
  • As soon as you get in, it’s over.

Positives:

  • Learn patience and debugging
  • Classic OSCP privesc.

Type your comment>

@GetGetGetGet said:
Overall, I really didn’t like this machine. It was all about the things I hate most in CTF.

+1

Priv esc. to root was the same as on a retired machine. Overall, the machine was a pain.

Does anyone have websites/resources explaining why the “VERB” hint works? Seems like a purely CTF trick, but curious if this is really a common vulnerability in the wild, and also why it works.

Type your comment> @reedsee said:

Does anyone have websites/resources explaining why the “VERB” hint works? Seems like a purely CTF trick, but curious if this is really a common vulnerability in the wild, and also why it works.

It is an artificial configuration option and I think there is no System Administrator on the Earth who chooses it.

Finally I managed to get a shell. Any hint to get from w**-**** to s****y ?
edit
rooted :slight_smile:

Can someone PM me a hint? i have discovered the m…php a…php and p…php page but i don’t know how can i bypass or login in m…

Help in c********* cardinals
Found it but I don’t know it relation between it and the ctf
Thanks @LoRKa
Now am in editing cve exploit to get shell