Player

@YacineF said:
Iā€™m stuck in the jail, I think Iā€™ve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails itā€™s usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit onesā€¦

Type your comment> @rulzgz said:

@YacineF said:
Iā€™m stuck in the jail, I think Iā€™ve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?

Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails itā€™s usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit onesā€¦

Thank you for your answer I found after a little nudge of one my friend. I didnā€™t think about attacking this thing as it is something I never thought it could be important.
Feel so liberated :slight_smile:

Trying to get root, I know how and have a working solution locally I just need a way to write to a certain file on player. The writable permissions I have now are very limited. Thought of, and tried, various ways to get around this but so far nothing has worked.

Could anyone please send me a small hint on where to look?

Ok so root was way simpler than I expected! I was over complicating it quite a bit. Keep it simple I guess. But I learned in the process. Thanks to @gorg for providing the little push I needed.

Iā€™m wondering if its possible to get root the way I tried first. If anyone was able to get root (or break out of jail) using the m***e.log file. Iā€™d love to know how, please PM :slight_smile:

@MrR3boot Thanks for a very cool box. That must have taken a lot of time to create.

Got root the other way as well! This was fun. Thanks @Gr33d for showing me something obvious I shouldā€™ve known already :wink:

User and root owned

This was very challenging. It looks like there may be a few ways to do this. Had some fun at the movies as well :slight_smile:

I think i need some help with root, or at lest a hint.
I found the script b***.p, after reading the source i think in a possible p ob**** i***n abusing __wp method and running it des*****ng an specially crafted object.
I think it is a viable way of getting root, but still need to write our payload in a file (m
e.**g).

And hereā€™s the problem, i donā€™t know if we can overwrite it doing something or i just wasted some hours and iā€™m looking in the wrong place?

The file is owned by t*****n, so my first thought was to try to get this user in a shell, to be able to edit the fileā€¦ I tried some things, with no luck at all, i tried running .writefile within the script we used in previous stages to ā€œbypassā€ jail, i canā€™t make it working as all other things i triedā€¦

Can someone help me with that?
Thanks in advance

Rooted, what a great box. I really enjoyed this one.
Thanks to all those that helped me with it!

If you need help, PM via discord.

Iā€™m lost in front of user land. Iā€™ve watched a lot of videos, found some creds for a user in a lua script, but they donā€™t seem to work for ssh. So Iā€™ve tried with the development portal, Iā€™ve found an hash (sha1(md5)), Iā€™ve wrote a script to crack it with rockyou dict: nothing. maybe as I read after in this forum, itā€™s not the right way. So Iā€™ve read again all of .php file and other stuff but nothing inspired me. I stay in the darkness, someone could help me with a little hint ? I would like to go to jail. thanks in advance

Hello all, I am stuck! Iā€™d appreciate a nudge!

So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and Iā€™m struggling to find the backup file - tried common extensions and also vim-style file naming but no luckā€¦

Type your comment> @0X44696F21 said:

Hello all, I am stuck! Iā€™d appreciate a nudge!

So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and Iā€™m struggling to find the backup file - tried common extensions and also vim-style file naming but no luckā€¦

Collect all discovered directory names and filenames (without extension), put them into a custom dictionary file and run dirbuster/dirb/gobuster/etc. using different ā€œbackupā€ extensions and different vhosts. If you want to execute a ā€œfullā€ search, you should add "dot"filename strings to the dictionary file too.

Yeah, I just had a flash and I added a new extension that found the file! Thank you, now onto getting deeper into the app!

Can anyone help to get started ? i enumerated too much but wasnā€™t able to find even vhost. :frowning:

Any hints for privesc? I have shell as w**-***a userā€¦

Rooted! User part was very interesting and had so much fun.

I guess there is another way to root, rather than mixing vulnerable code and enumeration, if anyone has rooted with another way, please drop me a message. Apart from root, there is another vhost c**t, what is its purpose anyway??

Thank you @MrR3boot for your awesome craftsmanship.

Fantastic box!
Got user, stuck at last part for root.
got unrestricted shell for t*n and w******* and have been playing with b.p but nothing seems to stick.
Is this a rabbit hole for root?
Any hints would be appreciated! :slight_smile:

Type your comment> @portalfire said:

Fantastic box!
Got user, stuck at last part for root.
got unrestricted shell for t*n and w******* and have been playing with b.p but nothing seems to stick.
Is this a rabbit hole for root?
Any hints would be appreciated! :slight_smile:

Update:
Just rooted. went for the rude approach. resetting box.

had fun and headache so far, however, im stuck on the root now, since i dont see the obvious thing everyone is talking about T.T

Finally done. didnā€™t see what was needed to be seen. After that, straight forward =P thanks for the box

Hi all, Iā€™ve been enumerating for almost a week now and still unable to find the ā€œbakā€. Wonder if Iā€™m just using the wrong wordlists? Though Iā€™ve tried a lot from seclists/dirbuster already. I know it could possibly be related to vim, and have accounted for it in my enum.

Any nudge in the right direction would be much appreciated!

Type your comment> @pirxthepilot said:

Hi all, Iā€™ve been enumerating for almost a week now and still unable to find the ā€œbakā€. Wonder if Iā€™m just using the wrong wordlists? Though Iā€™ve tried a lot from seclists/dirbuster already. I know it could possibly be related to vim, and have accounted for it in my enum.

Any nudge in the right direction would be much appreciated!

Create your own wordlist based on the discovered directory names and filenames without extension. Then try to use different extensions and vhosts.