Registry

@drdsol92 said:
Currently stuck at bt user. From the hints provided here, I think I’m supposed to su to w-d*** and exploit r***c somehow? I’ve even gone through the php files but still can’t find anything useful. Would appreciate it if someone could give me a nudge in the right direction ><

You have to find a way to become w**-d**** and get your way with r****c to BACKUP all the essential files

.

i am stuck on second user. i cracked hash, logged in web app but uploading shell doesnt work. when i want change extension, it shows 404 not found. any help?

edit:
no need to change extension :slight_smile:

User! thanks to my mentor, he knows who he is…im finding this box frustrating but not difficult, im not familiar with d****r so i had to read the docs and read the docs and read the docs, that and enumeration is all you’ll need to get to user, its that simple… Now on to root gl -all

Stuck cloning the dr ry, got the basic auth so can view v/_c***g, but can’t get any further

E: Thanks to a nudge from @noob2sec managed to get user, on to root now!

rooted. Thank you @masquerad3r for your hints.

As for root, I gave up to make outbound connection to my local machine. Everything was done in this machine besides cracking creds.
For the final touch, I didn’t know r***-s***** is portable.

I logged in via ssh as b**t user. Found some creds but couldn’t find a way to crack it can someone help me ?

EDIT:

Rooted, special thanks to @PlayerThree and @rholas !

Why all the B**t C*s pages return 404?

IDK if i get initial footlhold the intended way, can someone who feels the same PM?.

uid=0(root) gid=0(root) groups=0(root) root@bolt:~#

if u need help . Write me from DM

how can I get root ? any nudges

Type your comment

just rooted. I wanna thank @GibParadox for the patience and help! Feel free to contact me for hints.

Finally rooted!
User was not very hard.
Root was quite a long journey. Had quite hard time with r****c…

I got stuck on: /v2/b****-i****/b****/sha256:*******

I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

Type your comment> @roelvb said:

I got stuck on: /v2/b****-i****/b****/sha256:*******

I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

There is something obvious just keep looking, did you notice any common port open when you enumerate the box?. Maybe you can look for the key to open the door.

Type your comment> @mcruz said:

Type your comment> @roelvb said:

I got stuck on: /v2/b****-i****/b****/sha256:*******

I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

There is something obvious just keep looking, did you notice any common port open when you enumerate the box?. Maybe you can look for the key to open the door.

Got it, thanks!

I am struck on the root part.
i got a password and successfully logged into the website, but i can’t get anything.
Anyone who can PM me for a nudge on what to do next for root?

Great machine, thank @thek.

I managed to proceed like a knife through butter to the “last two stations”. Gaining user level access was also interesting, but it was much easier than the root one. There are little tricks needed to discover the vulnerability, and it is easy to find attack description on the Internet after the identification.

Although I got much data by the attack, it was clear what I should have found and used. Result was a friendly remote shell. It is worth running a fast nmap tcp port scan from the machine to the attacker host in this phase.

Based on the difficulty category of the machine, I guessed that I met a non-traditional privilege escalation challenge. I have learned from my earlier successful attempts that there is a valuable data source which often contains relevant information, and it was also true in this case. After some routine operations I reached the penultimate “station”.

That was the beginning of a suffering but instructive “journey”. Some advice for this “station”:

  • read but do not believe everything,
  • guess how to stabilize an unstable situation,
  • be fast and repeat your process if it is needed.

Result was a usual but less friendly remote access. I thought it was the difficult part of the attack, but I soon realized that I was wrong.

It was easy to find the vulnerability but was difficult to create a successful exploit. First I thought that a newer little trick could solve my problem. After about an hour I realized that the application had a strict rule to set permissions and I couldn’t apply the “Local” method in a useful way. So that I needed to use the “Server” method.

Since I knew the result of the earlier “reverse” nmap scan, I realized that I needed to apply “Server” method locally. The only problem was scarcity of a proper server. At that time I found an important word (p******e) in a message on this topic (thank mate), and hit my head gently. The solution is very simple.

I needed reading some pages from a tutorial of the application and readme of the server and constructed the finish which contained 5-10 elementary steps. It was a joy to see that my commands ran without any error.