Obscurity

any proper hints available on how to find or where this “key” is ? really don’t like this box and it’s taking me triple the time it should due to 100% being python :frowning:

Just Rooted. I think in the unintended way since it was really too easy.

Guys need a nudge… Found what command to exploit… copied and run this server on my local machine… tested my exploit string… and it worked… but it doesnt work on Obscure machine… what do i miss??? it returns 404 error and shows my string which passes into that func correctly… but doesnt give a reverse shell…

Box patched now. Root part is harder.

Hint for root :
Code auditing. It’s sad you cant read the file quickly enough.

There are multiple ways for root using the py script. I found one not involving anything py at all.

there are atleast 4 ways…

So I have the script and an idea what to do but it doesn’t work. Not sure if I am on the right track. Trying to exploit e***c. (Hope that doesn’t spoil too much)
Can someone send me a little nudge?

Rooted. Fun box ! Kudo’s for the creator.

For nudges feel free to dm me.

Rooted Fun

PM for Hints

I thought that was a super fun box, I enjoyed every step

user: If you understand what it’s doing, you don’t even need to write a line of code to reverse it

root: I’m apparently opposite of everyone so far, as I thought root (I went intended way) was significantly harder than user (Thanks to @bertalting for the help), so if that’s you, don’t get discouraged by the comments, you aren’t alone. If you are stuck you might want to Watch where you are looking. Also, I had to create the /***/S**/ directory for some reason which I don’t understand, but if you are getting that error, try that.

Fun box. Finally rooted. User was super hard for me, thanks for all who helped me out with it. Root was rather simple, but dont think too hard on it…It will be obvious as others have said. PM if you need help!

Pew, finally rooted. I dont really think, this box should be marked as “easy”. to be honest, foothold has space to do some tricks. maybe, i am just a noob, but next steps wasnt “easy” for me. i would rather call it “easy-medium”. Thanks @clubby789. Great box

gobuster and ffuf not working for me. any hints plz?

EDIT: Got it, thanks for the nudges!

Type your comment> @rudem said:

gobuster and ffuf not working for me. any hints plz?

it works…

Just rooted, appreciation to @c1cada for nudge in initial foothold.
Escalation to root super easy. Overall I can imagine that for devs specializing in one famous reptile language this whole machine is very easy (first blood in user and root taken in less than half an hour).
In summary - nice experience, especially initial part.

Type your comment> @Hilbert said:

I thought that was a super fun box, I enjoyed every step

user: If you understand what it’s doing, you don’t even need to write a line of code to reverse it

root: I’m apparently opposite of everyone so far, as I thought root (I went intended way) was significantly harder than user (Thanks to @bertalting for the help), so if that’s you, don’t get discouraged by the comments, you aren’t alone. If you are stuck you might want to Watch where you are looking. Also, I had to create the /***/S**/ directory for some reason which I don’t understand, but if you are getting that error, try that.

I think someone has deleted the S… folder so that you must create it again. There are some trolls around on every box :slight_smile:

Anyone care to PM me a nudge for the fuzzing of the directory? Tried ffuz and wfuzz with a lot of lists, but no fun so far

Spoiler Removed

Oops, my bad. Thought I was completely off so it wouldn’t be a spoiler LOL

Spoiler Removed

Получил root.

Машина очень полезная. Много нового узналю

Спасибо за создание @clubby789 . Ощущение двоякое в одном месте машина легка в другом сложна. Для ее решение нужно понимание яп python и bash

до пользователя нужно найти на сайте где расположен скрытый файл .py изучить его и понять как можно это использовать

изучите код и поймите что можно использовать и сделайте нагрузку. и получите оболочку

user: изучите скрипт поймите как он шифрует и попробуйте расшифровать. кодить не надо скрипт все сам делает. процедуру нужно повторить несколько раз

root: знания Bash и зацикливание вам помогут в открытие файла.