Player

Thanks @MrR3boot for setting up Player, that was indeed a difficult one, my second hard box, took me quite some time and effort. I really liked the avi-part. Thanks @0x6f63746f and @Skybreaker for keeping me on track, in between I got lost at places which were probably not meant as but worked on me like rabbit holes.

Stuck in restricted environment can someone pm me a nudge pls?:slight_smile:

Type your comment> @Gr33d said:

Stuck in restricted environment can someone pm me a nudge pls?:slight_smile:

take a look at the door itself rather than at the jail behind that door

After Im just now getting back to stable after going crazy getting this root…@MrR3boot thinks its okay to throw out Player2. Haha Cant wait.

I agree it is a great machine. Waste some time, because I thought a file was empty. Looking forward to Player2.

I enumerated the vhosts and the error that gives some interesting information. I found all the easy/obvious stuff (I think!) but couldn’t really find anything to give me that foothold to user.After going at it for 2 nights (mostly enumerating with gobuster) without any leads, I decided to come here and check for a hint (feels bad!). I saw that there’s a b*k file to be found somewhere. I’m quite sure I would have never found this without a hint…

Now I’m sure I can find that file if I try long and hard enough but I’m more interested in learning the methodology/train of thought used to find this file first. Is there something that gives this away? Apart from the php error page mentioning a b****p directory? If someone who found this without taking any hints from others could please PM me how they did this I would very much appreciate it! I’d love to learn how to do this!

Type your comment> @GPLO said:

I enumerated the vhosts and the error that gives some interesting information. I found all the easy/obvious stuff (I think!) but couldn’t really find anything to give me that foothold to user.After going at it for 2 nights (mostly enumerating with gobuster) without any leads, I decided to come here and check for a hint (feels bad!). I saw that there’s a b*k file to be found somewhere. I’m quite sure I would have never found this without a hint…

Now I’m sure I can find that file if I try long and hard enough but I’m more interested in learning the methodology/train of thought used to find this file first. Is there something that gives this away? Apart from the php error page mentioning a b****p directory? If someone who found this without taking any hints from others could please PM me how they did this I would very much appreciate it! I’d love to learn how to do this!

I also read this info here and finally got the file without getting exact information about the type of “bak”.

BUT

You can find this “bak” using a gobuster/dirbuster/dirb -like tool created one of my compatriots without seeing any hints/nudges/etc. If you find the GitHub page of the tool, you will see a screenshot in which you can spot the feature “Mangling” and its default value. That value contains an extension which you need to move on.

I never used that tool, but I plan to install and test it.

I’m stuck in the jail, I think I’ve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

@YacineF said:
I’m stuck in the jail, I think I’ve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails it’s usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit ones…

Type your comment> @rulzgz said:

@YacineF said:
I’m stuck in the jail, I think I’ve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails it’s usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit ones…

Thank you for your answer I found after a little nudge of one my friend. I didn’t think about attacking this thing as it is something I never thought it could be important.
Feel so liberated :slight_smile:

Trying to get root, I know how and have a working solution locally I just need a way to write to a certain file on player. The writable permissions I have now are very limited. Thought of, and tried, various ways to get around this but so far nothing has worked.

Could anyone please send me a small hint on where to look?

Ok so root was way simpler than I expected! I was over complicating it quite a bit. Keep it simple I guess. But I learned in the process. Thanks to @gorg for providing the little push I needed.

I’m wondering if its possible to get root the way I tried first. If anyone was able to get root (or break out of jail) using the m***e.log file. I’d love to know how, please PM :slight_smile:

@MrR3boot Thanks for a very cool box. That must have taken a lot of time to create.

Got root the other way as well! This was fun. Thanks @Gr33d for showing me something obvious I should’ve known already :wink:

User and root owned

This was very challenging. It looks like there may be a few ways to do this. Had some fun at the movies as well :slight_smile:

I think i need some help with root, or at lest a hint.
I found the script b***.p, after reading the source i think in a possible p ob**** i***n abusing __wp method and running it des*****ng an specially crafted object.
I think it is a viable way of getting root, but still need to write our payload in a file (m
e.**g).

And here’s the problem, i don’t know if we can overwrite it doing something or i just wasted some hours and i’m looking in the wrong place?

The file is owned by t*****n, so my first thought was to try to get this user in a shell, to be able to edit the file… I tried some things, with no luck at all, i tried running .writefile within the script we used in previous stages to “bypass” jail, i can’t make it working as all other things i tried…

Can someone help me with that?
Thanks in advance

Rooted, what a great box. I really enjoyed this one.
Thanks to all those that helped me with it!

If you need help, PM via discord.

I’m lost in front of user land. I’ve watched a lot of videos, found some creds for a user in a lua script, but they don’t seem to work for ssh. So I’ve tried with the development portal, I’ve found an hash (sha1(md5)), I’ve wrote a script to crack it with rockyou dict: nothing. maybe as I read after in this forum, it’s not the right way. So I’ve read again all of .php file and other stuff but nothing inspired me. I stay in the darkness, someone could help me with a little hint ? I would like to go to jail. thanks in advance

Hello all, I am stuck! I’d appreciate a nudge!

So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and I’m struggling to find the backup file - tried common extensions and also vim-style file naming but no luck…

Type your comment> @0X44696F21 said:

Hello all, I am stuck! I’d appreciate a nudge!

So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and I’m struggling to find the backup file - tried common extensions and also vim-style file naming but no luck…

Collect all discovered directory names and filenames (without extension), put them into a custom dictionary file and run dirbuster/dirb/gobuster/etc. using different “backup” extensions and different vhosts. If you want to execute a “full” search, you should add "dot"filename strings to the dictionary file too.

Yeah, I just had a flash and I added a new extension that found the file! Thank you, now onto getting deeper into the app!