@YacineF said:
Iām stuck in the jail, I think Iāve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?
Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails itās usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit onesā¦
@YacineF said:
Iām stuck in the jail, I think Iāve enumerated every files I could find. I find a way to list path by pressing a key in the jail but nothing more. Do you have any hints ? Do I need to look for something else than the jail ?
Without leaving this jail metaphore, think on the problem like a jail, and think where or which part of the jails itās usually the weakest, and usually bad guys use it to access and aim for it in their scans, the same as legit onesā¦
Thank you for your answer I found after a little nudge of one my friend. I didnāt think about attacking this thing as it is something I never thought it could be important.
Feel so liberated
Trying to get root, I know how and have a working solution locally I just need a way to write to a certain file on player. The writable permissions I have now are very limited. Thought of, and tried, various ways to get around this but so far nothing has worked.
Could anyone please send me a small hint on where to look?
Ok so root was way simpler than I expected! I was over complicating it quite a bit. Keep it simple I guess. But I learned in the process. Thanks to @gorg for providing the little push I needed.
Iām wondering if its possible to get root the way I tried first. If anyone was able to get root (or break out of jail) using the m***e.log file. Iād love to know how, please PM
@MrR3boot Thanks for a very cool box. That must have taken a lot of time to create.
I think i need some help with root, or at lest a hint.
I found the script b***.p, after reading the source i think in a possible p ob**** i***n abusing __wp method and running it des*****ng an specially crafted object.
I think it is a viable way of getting root, but still need to write our payload in a file (me.**g).
And hereās the problem, i donāt know if we can overwrite it doing something or i just wasted some hours and iām looking in the wrong place?
The file is owned by t*****n, so my first thought was to try to get this user in a shell, to be able to edit the fileā¦ I tried some things, with no luck at all, i tried running .writefile within the script we used in previous stages to ābypassā jail, i canāt make it working as all other things i triedā¦
Iām lost in front of user land. Iāve watched a lot of videos, found some creds for a user in a lua script, but they donāt seem to work for ssh. So Iāve tried with the development portal, Iāve found an hash (sha1(md5)), Iāve wrote a script to crack it with rockyou dict: nothing. maybe as I read after in this forum, itās not the right way. So Iāve read again all of .php file and other stuff but nothing inspired me. I stay in the darkness, someone could help me with a little hint ? I would like to go to jail. thanks in advance
So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and Iām struggling to find the backup file - tried common extensions and also vim-style file naming but no luckā¦
So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and Iām struggling to find the backup file - tried common extensions and also vim-style file naming but no luckā¦
Collect all discovered directory names and filenames (without extension), put them into a custom dictionary file and run dirbuster/dirb/gobuster/etc. using different ābackupā extensions and different vhosts. If you want to execute a āfullā search, you should add "dot"filename strings to the dictionary file too.
Rooted! User part was very interesting and had so much fun.
I guess there is another way to root, rather than mixing vulnerable code and enumeration, if anyone has rooted with another way, please drop me a message. Apart from root, there is another vhost c**t, what is its purpose anyway??
Thank you @MrR3boot for your awesome craftsmanship.
Fantastic box!
Got user, stuck at last part for root.
got unrestricted shell for t*n and w******* and have been playing with b.p but nothing seems to stick.
Is this a rabbit hole for root?
Any hints would be appreciated!
Fantastic box!
Got user, stuck at last part for root.
got unrestricted shell for t*n and w******* and have been playing with b.p but nothing seems to stick.
Is this a rabbit hole for root?
Any hints would be appreciated!
Update:
Just rooted. went for the rude approach. resetting box.
Hi all, Iāve been enumerating for almost a week now and still unable to find the ābakā. Wonder if Iām just using the wrong wordlists? Though Iāve tried a lot from seclists/dirbuster already. I know it could possibly be related to vim, and have accounted for it in my enum.
Any nudge in the right direction would be much appreciated!
Hi all, Iāve been enumerating for almost a week now and still unable to find the ābakā. Wonder if Iām just using the wrong wordlists? Though Iāve tried a lot from seclists/dirbuster already. I know it could possibly be related to vim, and have accounted for it in my enum.
Any nudge in the right direction would be much appreciated!
Create your own wordlist based on the discovered directory names and filenames without extension. Then try to use different extensions and vhosts.