Player

I enumerated the vhosts and the error that gives some interesting information. I found all the easy/obvious stuff (I think!) but couldn’t really find anything to give me that foothold to user.After going at it for 2 nights (mostly enumerating with gobuster) without any leads, I decided to come here and check for a hint (feels bad!). I saw that there’s a b*k file to be found somewhere. I’m quite sure I would have never found this without a hint…

Now I’m sure I can find that file if I try long and hard enough but I’m more interested in learning the methodology/train of thought used to find this file first. Is there something that gives this away? Apart from the php error page mentioning a b****p directory? If someone who found this without taking any hints from others could please PM me how they did this I would very much appreciate it! I’d love to learn how to do this!

Type your comment> @GPLO said:

I enumerated the vhosts and the error that gives some interesting information. I found all the easy/obvious stuff (I think!) but couldn’t really find anything to give me that foothold to user.After going at it for 2 nights (mostly enumerating with gobuster) without any leads, I decided to come here and check for a hint (feels bad!). I saw that there’s a b*k file to be found somewhere. I’m quite sure I would have never found this without a hint…

Now I’m sure I can find that file if I try long and hard enough but I’m more interested in learning the methodology/train of thought used to find this file first. Is there something that gives this away? Apart from the php error page mentioning a b****p directory? If someone who found this without taking any hints from others could please PM me how they did this I would very much appreciate it! I’d love to learn how to do this!

I also read this info here and finally got the file without getting exact information about the type of “bak”.

BUT

You can find this “bak” using a gobuster/dirbuster/dirb -like tool created one of my compatriots without seeing any hints/nudges/etc. If you find the GitHub page of the tool, you will see a screenshot in which you can spot the feature “Mangling” and its default value. That value contains an extension which you need to move on.

I never used that tool, but I plan to install and test it.

I’m stuck in the jail, I think I’ve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

@YacineF said:
I’m stuck in the jail, I think I’ve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails it’s usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit ones…

Type your comment> @rulzgz said:

@YacineF said:
I’m stuck in the jail, I think I’ve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails it’s usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit ones…

Thank you for your answer I found after a little nudge of one my friend. I didn’t think about attacking this thing as it is something I never thought it could be important.
Feel so liberated :slight_smile:

Trying to get root, I know how and have a working solution locally I just need a way to write to a certain file on player. The writable permissions I have now are very limited. Thought of, and tried, various ways to get around this but so far nothing has worked.

Could anyone please send me a small hint on where to look?

Ok so root was way simpler than I expected! I was over complicating it quite a bit. Keep it simple I guess. But I learned in the process. Thanks to @gorg for providing the little push I needed.

I’m wondering if its possible to get root the way I tried first. If anyone was able to get root (or break out of jail) using the m***e.log file. I’d love to know how, please PM :slight_smile:

@MrR3boot Thanks for a very cool box. That must have taken a lot of time to create.

Got root the other way as well! This was fun. Thanks @Gr33d for showing me something obvious I should’ve known already :wink:

User and root owned

This was very challenging. It looks like there may be a few ways to do this. Had some fun at the movies as well :slight_smile:

I think i need some help with root, or at lest a hint.
I found the script b***.p, after reading the source i think in a possible p ob**** i***n abusing __wp method and running it des*****ng an specially crafted object.
I think it is a viable way of getting root, but still need to write our payload in a file (m
e.**g).

And here’s the problem, i don’t know if we can overwrite it doing something or i just wasted some hours and i’m looking in the wrong place?

The file is owned by t*****n, so my first thought was to try to get this user in a shell, to be able to edit the file… I tried some things, with no luck at all, i tried running .writefile within the script we used in previous stages to “bypass” jail, i can’t make it working as all other things i tried…

Can someone help me with that?
Thanks in advance

Rooted, what a great box. I really enjoyed this one.
Thanks to all those that helped me with it!

If you need help, PM via discord.

I’m lost in front of user land. I’ve watched a lot of videos, found some creds for a user in a lua script, but they don’t seem to work for ssh. So I’ve tried with the development portal, I’ve found an hash (sha1(md5)), I’ve wrote a script to crack it with rockyou dict: nothing. maybe as I read after in this forum, it’s not the right way. So I’ve read again all of .php file and other stuff but nothing inspired me. I stay in the darkness, someone could help me with a little hint ? I would like to go to jail. thanks in advance

Hello all, I am stuck! I’d appreciate a nudge!

So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and I’m struggling to find the backup file - tried common extensions and also vim-style file naming but no luck…

Type your comment> @0X44696F21 said:

Hello all, I am stuck! I’d appreciate a nudge!

So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and I’m struggling to find the backup file - tried common extensions and also vim-style file naming but no luck…

Collect all discovered directory names and filenames (without extension), put them into a custom dictionary file and run dirbuster/dirb/gobuster/etc. using different “backup” extensions and different vhosts. If you want to execute a “full” search, you should add "dot"filename strings to the dictionary file too.

Yeah, I just had a flash and I added a new extension that found the file! Thank you, now onto getting deeper into the app!

Can anyone help to get started ? i enumerated too much but wasn’t able to find even vhost. :frowning:

Any hints for privesc? I have shell as w**-***a user…

Rooted! User part was very interesting and had so much fun.

I guess there is another way to root, rather than mixing vulnerable code and enumeration, if anyone has rooted with another way, please drop me a message. Apart from root, there is another vhost c**t, what is its purpose anyway??

Thank you @MrR3boot for your awesome craftsmanship.

Fantastic box!
Got user, stuck at last part for root.
got unrestricted shell for t*n and w******* and have been playing with b.p but nothing seems to stick.
Is this a rabbit hole for root?
Any hints would be appreciated! :slight_smile:

Type your comment> @portalfire said:

Fantastic box!
Got user, stuck at last part for root.
got unrestricted shell for t*n and w******* and have been playing with b.p but nothing seems to stick.
Is this a rabbit hole for root?
Any hints would be appreciated! :slight_smile:

Update:
Just rooted. went for the rude approach. resetting box.