Obscurity

Found what I needed with wfuzz. Downloaded a copy and found the exploitable piece of code. I ran the code locally and experimented until i got the syntax right. I have 2 versions which both work locally. When I target obscurity however I get a 404 and my listener doesn’t trigger :frowning: Intended?

My problem is with m**e****s… I can’t avoid 500 error

Type your comment> @GPLO said:

Found what I needed with wfuzz. Downloaded a copy and found the exploitable piece of code. I ran the code locally and experimented until i got the syntax right. I have 2 versions which both work locally. When I target obscurity however I get a 404 and my listener doesn’t trigger :frowning: Intended?

nvm, found my problem. Don’t assume when you can check!

@clubby789 Great box! Not sure why ppl are not giving it the stars it deserve. It was easy, but I had a lot of fun.

Got user!
Going for root!

I have found the code file; however, I am struggling to set up a debug environment to manipulate the code. Does anyone have the time to help me out with what the code is doing and just some pointers on what to look out for? Thank you in advance. And I know, I know “try harder”.

I have the script S **** S ***** S ***. Py apparently the function that I should use is s s****D but I’ve analyzed the code and I’m stuck. Anyone with a hint?

Nice box!
Pretty CTF-like and really enjoyable… shame on the “easy” method though, the legit method is really fun.

got the .py file after using ffuf. other tools were too slow.

now i’m having issues with the python code.

Rooted, thanks the most to @atii22 for helping me
anyone needs help you can contact me

Nice box… i tried almost two ways to root. unintended and intended. (please fix unintended as soon as possible). You need to speak in basic python like Harry Potter.

For some hints or nudge, send me a message.

I can’t for the life of me find the directory… I’ve tried with 3 different tools now to no avail…

EDIT:
Found it, has to adjust my bustin’ a little.

Type your comment> @Vex20k said:

I can’t for the life of me find the directory… I’ve tried with 3 different tools now to no avail…

Same here, any hint?

Spoiler Removed

Spoiler Removed
Sorry

Spoiler Removed

If you’re struggling with crypto don’t give up.
Read carefully how the script is encrypting data and how it’s using the key.
If you’re not familiar with python scripting, well, the key can be “cracked” manually in 20 minutes.

Is the box broken or something? Not getting any response from the services.

User was fun :slight_smile: Now on to root

4 minutes later: root was a bit disappointing

Need some help for regarding the server