Registry

uid=0(root) gid=0(root) groups=0(root) root@bolt:~#

if u need help . Write me from DM

how can I get root ? any nudges

Type your comment

just rooted. I wanna thank @GibParadox for the patience and help! Feel free to contact me for hints.

Finally rooted!
User was not very hard.
Root was quite a long journey. Had quite hard time with r****c…

I got stuck on: /v2/b****-i****/b****/sha256:*******

I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

Type your comment> @roelvb said:

I got stuck on: /v2/b****-i****/b****/sha256:*******

I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

There is something obvious just keep looking, did you notice any common port open when you enumerate the box?. Maybe you can look for the key to open the door.

Type your comment> @mcruz said:

Type your comment> @roelvb said:

I got stuck on: /v2/b****-i****/b****/sha256:*******

I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

There is something obvious just keep looking, did you notice any common port open when you enumerate the box?. Maybe you can look for the key to open the door.

Got it, thanks!

I am struck on the root part.
i got a password and successfully logged into the website, but i can’t get anything.
Anyone who can PM me for a nudge on what to do next for root?

Great machine, thank @thek.

I managed to proceed like a knife through butter to the “last two stations”. Gaining user level access was also interesting, but it was much easier than the root one. There are little tricks needed to discover the vulnerability, and it is easy to find attack description on the Internet after the identification.

Although I got much data by the attack, it was clear what I should have found and used. Result was a friendly remote shell. It is worth running a fast nmap tcp port scan from the machine to the attacker host in this phase.

Based on the difficulty category of the machine, I guessed that I met a non-traditional privilege escalation challenge. I have learned from my earlier successful attempts that there is a valuable data source which often contains relevant information, and it was also true in this case. After some routine operations I reached the penultimate “station”.

That was the beginning of a suffering but instructive “journey”. Some advice for this “station”:

  • read but do not believe everything,
  • guess how to stabilize an unstable situation,
  • be fast and repeat your process if it is needed.

Result was a usual but less friendly remote access. I thought it was the difficult part of the attack, but I soon realized that I was wrong.

It was easy to find the vulnerability but was difficult to create a successful exploit. First I thought that a newer little trick could solve my problem. After about an hour I realized that the application had a strict rule to set permissions and I couldn’t apply the “Local” method in a useful way. So that I needed to use the “Server” method.

Since I knew the result of the earlier “reverse” nmap scan, I realized that I needed to apply “Server” method locally. The only problem was scarcity of a proper server. At that time I found an important word (p******e) in a message on this topic (thank mate), and hit my head gently. The solution is very simple.

I needed reading some pages from a tutorial of the application and readme of the server and constructed the finish which contained 5-10 elementary steps. It was a joy to see that my commands ran without any error.

rooted
thank you @sbridgens and @Rolesa

Got user.
Thanks @Rolesa, @noob2sec and @masquerad3r.
Go to root.
PM for hints.

I’m stuck to the very start. I got the c.t, I tried to get the c*****g, but obviously I don’t have the auth, neither the k.y. Any nudge for the initial foothold?

Type your comment> @FoX01 said:

Got user.
Thanks @Rolesa, @noob2sec and @masquerad3r.
Go to root.
PM for hints.

Glad I could help :slight_smile:

Got root flag with r****c but wasn’t able to execute code with that method

Type your comment> @sulcud said:

Got root flag with r****c but wasn’t able to execute code with that method

Just use same method and grab bigger.

When I do ‘locate root.txt’ there is no root.txt on the system?

Any nudge for the run to w**-***a?

Spoiler Removed

Rooted.
Really frustating machine, but it was a great teacher to me.

User 1: What a ride. Enumerate and don’t ignore anything. Scan smart not hard.

User 2: Quite simple to find if you enumerated, but not so simple to actually do it. You’ll take a step backwards =) You have to be fast and think outside the box. You can’t outrun it, but you can outsmart it. The more creative you get, the better.

Root: Tunneling and Enumeration. Luckly my first enumeration command had what I needed. Then the hardest part of this machine: Exploiting the thing. I had to do a million tests and troubleshoots before it worked, but it worked. I didn’t think I needed a root shell, so I didn’t try, but I think it’s possible.