AI

Definitely an interesting one.

root@testies:~/pentest/labs/htb/AI# nc -lnvp 1234
listening on [any] 1234 …
connect to [10.10.14.32] from (UNKNOWN) [10.10.10.163] 53514
bash: cannot set terminal process group (12249): Inappropriate ioctl for device
bash: no job control in this shell
root@AI:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@AI:~#

@Icyb3r said:
Rooted, Finally … the root part need to read about the Vuln, don’t do it blindly, read and try to understand how the exploitation process works, for me took time to do that, but after that the exploitation process for root is stable, root part let me think out of the box the most part I get enjoyed in. Many thanks @MrR3boot .

Same applicable to user too :wink:

The concept is very well-executed, I don’t understand why it shouldn’t have a higher rating. I gave it a 5. Kudos to @MrR3boot

@limbernie said:
The concept is very well-executed, I don’t understand why it shouldn’t have a higher rating. I gave it a 5. Kudos to @MrR3boot

Glad that you liked it :slight_smile:

Everyone is saying to understand the exploit to root but I have no background on that stuff. Reading the entire code or even the explanation gave me a headache. Can anyone pm me to help me understand it better?

Edit : rooted. Don’t be single-minded in root process. Once you confirm the exploit is working, there are too many ways to root. I felt so stupid when someone told me about it.
Thanks @Icyb3r @0PT1MUS @N7E for the hints
Thanks @MrR3boot for the box. Cool idea

Finally got user. Felt a bit random, still enjoyable.

Rooted.

Ain’t easy at all for root (I needed some help for user/root).
PM me if you need hints.

is it possible to use the common database for table and column names enumeration? Number 4 is in my way.

Thanks @joshibeast for the tip. Guessing it the key.

Type your comment> @FatPotato said:

is it possible to use the common database for table and column names enumeration? Number 4 is in my way.

Try pentestmonkey cheatsheet and some common(obvious) table names

I don’t get it.

I ran directory scanning, found u*****s error 301.

2 minutes later, I get only 403 for same directory.

Can someone clarify me?

EDIT: Nvm, Im stupid.

@twypsy said:

You can either record the word yourself, or replace the R with “her”.
had to throw a co**a in there to separate the R part there but thanks for that tip, really helped.

This root is really kicking me. I suppose more google might do the job but does it have something to do with the cat?

Really liked the root part =) thanks for the box @MrR3boot!

@crankyyash said:
Everyone is saying to understand the exploit to root but I have no background on that stuff. Reading the entire code or even the explanation gave me a headache. Can anyone pm me to help me understand it better?

Edit : rooted. Don’t be single-minded in root process. Once you confirm the exploit is working, there are too many ways to root. I felt so stupid when someone told me about it.
Thanks @Icyb3r @0PT1MUS @N7E for the hints
Thanks @MrR3boot for the box. Cool idea

@v01t4ic said:
Really liked the root part =) thanks for the box @MrR3boot!

Glad that you had fun :slight_smile:

USER/GROUP

[-] Current user/group info:
uid=4000000000(mrr3boot) gid=1001(mrr3boot) groups=1001(mrr3boot)

Type your comment> @jvlavl said:

USER/GROUP

[-] Current user/group info:
uid=4000000000(mrr3boot) gid=1001(mrr3boot) groups=1001(mrr3boot)
You are chasing rabbits

hi… could someone help me with with the wav-generation…
i tried A LOT onlinetools, gtts,…
and the sugested “celebrated” fe…al-tts seems nothing better…
i changed its t…2…e-tool’s voice to almost every northamerican there is… :wink:
what am i doing wrong?

Can anyone help me with generating right wav? Try different tts services, but no result and also can’t understand is my query right or not for exploitation? Please, write me via PM

Type your comment> @brueh said:

hi… could someone help me with with the wav-generation…
i tried A LOT onlinetools, gtts,…
and the sugested “celebrated” fe…al-tts seems nothing better…
i changed its t…2…e-tool’s voice to almost every northamerican there is… :wink:
what am i doing wrong?

If you have access to a Windows box, desktop dave might help.

That was easy and fast to get user.

root@kali:~/Downloads# ls speech*
‘speech(10).wav’ ‘speech(15).wav’ ‘speech(1).wav’ ‘speech(24).wav’ ‘speech(29).wav’ ‘speech(33).wav’ ‘speech(38).wav’ ‘speech(42).wav’ ‘speech(47).wav’ ‘speech(6).wav’
‘speech(11).wav’ ‘speech(16).wav’ ‘speech(20).wav’ ‘speech(25).wav’ ‘speech(2).wav’ ‘speech(34).wav’ ‘speech(39).wav’ ‘speech(43).wav’ ‘speech(48).wav’ ‘speech(7).wav’
‘speech(12).wav’ ‘speech(17).wav’ ‘speech(21).wav’ ‘speech(26).wav’ ‘speech(30).wav’ ‘speech(35).wav’ ‘speech(3).wav’ ‘speech(44).wav’ ‘speech(49).wav’ ‘speech(8).wav’
‘speech(13).wav’ ‘speech(18).wav’ ‘speech(22).wav’ ‘speech(27).wav’ ‘speech(31).wav’ ‘speech(36).wav’ ‘speech(40).wav’ ‘speech(45).wav’ ‘speech(4).wav’ ‘speech(9).wav’
‘speech(14).wav’ ‘speech(19).wav’ ‘speech(23).wav’ ‘speech(28).wav’ ‘speech(32).wav’ ‘speech(37).wav’ ‘speech(41).wav’ ‘speech(46).wav’ ‘speech(5).wav’ speech.wav

Edit: Could not get root shell. Got root-flag, but ran out of ideas for shell. PM me if you wish to tell me how you got root-shell.