Player

1234579

Comments

  • edited November 2019

    Spoiler Removed

  • edited December 2019

    Found some cred but can't seem to get them to work. Wonder what I'm missing.

    Edit: Got in, got some file read and got user.txt. Now to break out of jail.

    E2: Got to the edge of root, improperly rewrote a critical file. Time for a reset -_-

    E3: Finally rooted!

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Finally made it to root! My first hard box, it was very fun. It took me ages but learnt a lot. Thanks @MrR3boot and thanks to all that helped me.
    Feel free to PM if you need help!

  • Nice box so far. I like the video thing. I am able to login, but still stuck in jail after 24 hours. Found a way to make some changes on a page, but I don't know if that is the way. Tried to inject something, but that did not work the first time. Hope they still keep this machine up and I have some time left to finish this machine.

  • WOW what a ride ...... thank you

    CurioCT

  • edited December 2019

    Hey i am stuck, found and enumerated all vhosts. Searched for the b*k file everywhere but cant find it. Pls pm me a hint on how to continue.

    Edit: Got it thx @ rulzg

  • edited December 2019

    Type your comment> @Gr33d said:

    Hey i am stuck, found and enumerated all vhosts. Searched for the b*k file everywhere but cant find it. Pls pm me a hint on how to continue.

    How are you searching for the b*k file? Think in the extension or the suffix that a possible b****p file, theoretically, could have

    rulzgz

  • edited December 2019

    This is a great machine, thank you, @MrR3boot.

    There were two really difficult points during my travel.

    1. The "backup" station where I tried to find one type of Linux "backup" file and I realized there are other types only two evenings later.

    2. The "jail" station where I concentrated on the jail so much that I forgot to examine other opportunities long.

    It was a long journey, and I agree that making notes is an important step for gaining final access.

    I'm sure that I found an intended way to root access, but applied a "rude" technique to get root SSH connection, so that I reset the machine.

    bumika

  • Thanks @MrR3boot for setting up Player, that was indeed a difficult one, my second hard box, took me quite some time and effort. I really liked the avi-part. Thanks @0x6f63746f and @Skybreaker for keeping me on track, in between I got lost at places which were probably not meant as but worked on me like rabbit holes.

  • Stuck in restricted environment can someone pm me a nudge pls?:)

  • Type your comment> @Gr33d said:

    Stuck in restricted environment can someone pm me a nudge pls?:)

    take a look at the door itself rather than at the jail behind that door

  • After Im just now getting back to stable after going crazy getting this root...@MrR3boot thinks its okay to throw out Player2. Haha Cant wait.

  • I agree it is a great machine. Waste some time, because I thought a file was empty. Looking forward to Player2.

  • I enumerated the vhosts and the error that gives some interesting information. I found all the easy/obvious stuff (I think!) but couldn't really find anything to give me that foothold to user.After going at it for 2 nights (mostly enumerating with gobuster) without any leads, I decided to come here and check for a hint (feels bad!). I saw that there's a b*k file to be found somewhere. I'm quite sure I would have never found this without a hint...

    Now I'm sure I can find that file if I try long and hard enough but I'm more interested in learning the methodology/train of thought used to find this file first. Is there something that gives this away? Apart from the php error page mentioning a b****p directory? If someone who found this without taking any hints from others could please PM me how they did this I would very much appreciate it! I'd love to learn how to do this!

    GPLO

  • Type your comment> @GPLO said:

    I enumerated the vhosts and the error that gives some interesting information. I found all the easy/obvious stuff (I think!) but couldn't really find anything to give me that foothold to user.After going at it for 2 nights (mostly enumerating with gobuster) without any leads, I decided to come here and check for a hint (feels bad!). I saw that there's a b*k file to be found somewhere. I'm quite sure I would have never found this without a hint...

    Now I'm sure I can find that file if I try long and hard enough but I'm more interested in learning the methodology/train of thought used to find this file first. Is there something that gives this away? Apart from the php error page mentioning a b****p directory? If someone who found this without taking any hints from others could please PM me how they did this I would very much appreciate it! I'd love to learn how to do this!

    I also read this info here and finally got the file without getting exact information about the type of "bak".

    BUT

    You can find this "bak" using a gobuster/dirbuster/dirb -like tool created one of my compatriots without seeing any hints/nudges/etc. If you find the GitHub page of the tool, you will see a screenshot in which you can spot the feature "Mangling" and its default value. That value contains an extension which you need to move on.

    I never used that tool, but I plan to install and test it.

    bumika

  • I'm stuck in the jail, I think I've enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

  • @YacineF said:
    I'm stuck in the jail, I think I've enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

    Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails it's usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit ones...

    rulzgz

  • Type your comment> @rulzgz said:

    @YacineF said:
    I'm stuck in the jail, I think I've enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

    Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails it's usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit ones...

    Thank you for your answer I found after a little nudge of one my friend. I didn't think about attacking this thing as it is something I never thought it could be important.
    Feel so liberated :)

  • Trying to get root, I know how and have a working solution locally I just need a way to write to a certain file on player. The writable permissions I have now are very limited. Thought of, and tried, various ways to get around this but so far nothing has worked.

    Could anyone please send me a small hint on where to look?

    GPLO

  • edited December 2019

    Ok so root was way simpler than I expected! I was over complicating it quite a bit. Keep it simple I guess. But I learned in the process. Thanks to @gorg for providing the little push I needed.

    I'm wondering if its possible to get root the way I tried first. If anyone was able to get root (or break out of jail) using the m***e.log file. I'd love to know how, please PM :)

    @MrR3boot Thanks for a very cool box. That must have taken a lot of time to create.

    GPLO

  • Got root the other way as well! This was fun. Thanks @Gr33d for showing me something obvious I should've known already ;)

    GPLO

  • User and root owned

    This was very challenging. It looks like there may be a few ways to do this. Had some fun at the movies as well :)

  • I think i need some help with root, or at lest a hint.
    I found the script b*.p, after reading the source i think in a possible p** ob**** i*******n abusing __w****p method and running it des********ng an specially crafted object.
    I think it is a viable way of getting root, but still need to write our payload in a file (m***e.**g).

    And here's the problem, i don't know if we can overwrite it doing something or i just wasted some hours and i'm looking in the wrong place?

    The file is owned by t*****n, so my first thought was to try to get this user in a shell, to be able to edit the file... I tried some things, with no luck at all, i tried running .writefile within the script we used in previous stages to "bypass" jail, i can't make it working as all other things i tried...

    Can someone help me with that?
    Thanks in advance

    rulzgz

  • Rooted, what a great box. I really enjoyed this one.
    Thanks to all those that helped me with it!

    If you need help, PM via discord.

    Discord : secHaq#7121
    trigger

  • I'm lost in front of user land. I've watched a lot of videos, found some creds for a user in a lua script, but they don't seem to work for ssh. So I've tried with the development portal, I've found an hash (sha1(md5)), I've wrote a script to crack it with rockyou dict: nothing. maybe as I read after in this forum, it's not the right way. So I've read again all of .php file and other stuff but nothing inspired me. I stay in the darkness, someone could help me with a little hint ? I would like to go to jail. thanks in advance

  • Hello all, I am stuck! I'd appreciate a nudge!

    So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and I'm struggling to find the backup file - tried common extensions and also vim-style file naming but no luck..

    SIG

  • Type your comment> @0X44696F21 said:

    Hello all, I am stuck! I'd appreciate a nudge!

    So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and I'm struggling to find the backup file - tried common extensions and also vim-style file naming but no luck..

    Collect all discovered directory names and filenames (without extension), put them into a custom dictionary file and run dirbuster/dirb/gobuster/etc. using different "backup" extensions and different vhosts. If you want to execute a "full" search, you should add "dot"filename strings to the dictionary file too.

    bumika

  • Yeah, I just had a flash and I added a new extension that found the file! Thank you, now onto getting deeper into the app!

    SIG

  • Can anyone help to get started ? i enumerated too much but wasn't able to find even vhost. :(

  • Any hints for privesc? I have shell as w**-***a user...

Sign In to comment.