Rooted. Man, I have mixed feelings about this box. On the one hand there were some parts of this that were needlessly/unrealistically annoying, like the 403 errors during the user portion. On the other hand I learned some things and found new ways around filters because of this box.
Can some give me a tip/PM for implementation of the priv escalation. I think I am on the right way. But the sticky cve thing don’t let me pop a root shell. When I try to reverse shell I can’t redirect stdin/out for known reasons.
Type your comment> @cr0ssbon3s said:
Rooted. Man, I have mixed feelings about this box. On the one hand there were some parts of this that were needlessly/unrealistically annoying, like the 403 errors during the user portion. On the other hand I learned some things and found new ways around filters because of this box.
Any hint to avoid the 403 on the user phase (m***.g**.p**)?
Finally rooted ! . i have gain the knowledge on Cen****n and WAF filters.
The previous comment was meant for the postman box, sorry about that. I hope I didn’t throw anyone off. My previous post has nothing to do with this box at all. Here - http://urfsecurity.info/posts/linuxprivesc/ please remove if this is a spoiler.
I’ve already modified many times the script, the standard one didn’t get the right token. But requests to m+++.g++.p++ always get 403.
NVM got it. First time it didn’t work… PM me if you need help.
İ found c**** , now should I brute Force ? Hint me pls
Guys, getting the reverse shell is pain, found the CVE exploit and modified it but still cant get response in my ncat listener, im totally stuck. help me please.
I just uploaded a new version of the exploit on Github. It should make debugging and editing the script less painful.
Can’t post the link here b/c spoilers, but it should be easy to find if you know what you’re looking for.
Overall, I really didn’t like this machine. It was all about the things I hate most in CTF.
Negatives:
- Lame CTF tricks to find foothold (i.e. what you do at m********g)
- Web-app brute-forcing. It might not take long to crack but it’s still a pain that doesn’t really add much to the machine.
- Sloppy exploit code. Unfortunately this is realistic, but I hate when exploits don’t use functions, or aren’t written for readability, or have hard-coded values that make the code break easily.
- Unrealistic defense. In this case, it seems like the app’s defense is written specifically to make using the exploit a pain. Realistically, I think an admin who knows about this exploit would update to a version that’s not vulnerable. I also think the 403 code is misused and deliberately misleading, but admittedly an admin trying to prevent an exploit wouldn’t want to help attackers debug…
- As soon as you get in, it’s over.
Positives:
- Learn patience and debugging
- Classic OSCP privesc.
Type your comment>
@GetGetGetGet said:
Overall, I really didn’t like this machine. It was all about the things I hate most in CTF.
+1
Priv esc. to root was the same as on a retired machine. Overall, the machine was a pain.
Does anyone have websites/resources explaining why the “VERB” hint works? Seems like a purely CTF trick, but curious if this is really a common vulnerability in the wild, and also why it works.
Type your comment> @reedsee said:
Does anyone have websites/resources explaining why the “VERB” hint works? Seems like a purely CTF trick, but curious if this is really a common vulnerability in the wild, and also why it works.
It is an artificial configuration option and I think there is no System Administrator on the Earth who chooses it.
Finally I managed to get a shell. Any hint to get from w**-**** to s****y ?
edit
rooted
Can someone PM me a hint? i have discovered the m…php a…php and p…php page but i don’t know how can i bypass or login in m…
Help in c********* cardinals
Found it but I don’t know it relation between it and the ctf
Thanks @LoRKa
Now am in editing cve exploit to get shell
Type your comment> @Meise said:
Can someone PM me a hint? i have discovered the m…php a…php and p…php page but i don’t know how can i bypass or login in m…
I’ve decrypted the b4 hash and I get some credentials, but I don’t know how to pass it in m*****
edit: I think those are wrong credentials… you all say that there is a page named c***…
edit2: done, I have the login page. I was so dumb.
ok have php shell but the s…h is not working shuts down after fist line
it is the right version but keeps failing
i am in a rwx dir. please advice