Finally rooted, thanks @foxlox for the help with the final missing piece Also thanks to @thek for creating the box. It was a very interesting box with multiple hoops to jump through, but none of them particularly annoying once you figure them out. I exploited rc bp for root.txt, but didn’t get a root shell. Would be interested to find out the “hard” way people are talking about.
There are plenty of hints in the thread already, so I won’t add any. Feel free to DM me if you need more specific hints.
Hey guys,
I’ve been stuck for a while now trying to get access to user w-d
I have creds and have logged in to the secret /b…/b… page but not sure how to get code execution
If I could get a nudge that’d be awesome thanks
[edit: got it !]
I also need a nudge on getting shell in the b*** c** … i have access to the dashboard but cannot figure for the sake of frustration how I can upload or rename. Someone pls pm
This is a very frustrating box! xD I have found the exploit code to get the second user. I amended it to match the config on the box, I ran it and the first time it half worked (people who have been past this stage will know what I mean). Every attempt since has failed! I’ve reset the box and it still fails!
I really loved this machine. Super super fun, I loved it. Learned a lot too(my favorite type of box). Don’t know what I can post publicly without spoiling so I’ll keep it to PMs so that I can just do nudges/minor hints. PM me for nudges for any machines I’ve rooted.
Stuck in geting wxx-daxx user after login as bxxt user for few days. I found the admin password for bxxt CMS, however, I am not able to locate the login page. It seems that I need to upload a webshell to bxxt CMS, but not able to figure out what to do. It is apperciated if you could give me some hints.
stuck on 2nd user, any nudge?
got the bxxt CMS login page, everyone said it can be login with default password, but i googled for hours and read the bxxt doc. seems that it dont have any default password
also found the username in se db, together with a shadow, but cant found a way to use that shadow, also found a auth_token in se db, seems cant use it
Got root! From the comments I suppose there are few ways to achieve root with the same thing. It was my second hard box ever. Really had fun, thank you @thek, learned a lot.
Also big thanks to @SaK1 who helped me with the less obvious method for privesc.
Wow - rooted. Also the way to user and root was really straightforward, the way from user to root was really difficult. Thanks to @plackyhacker for pointing me to the right direction
finally got a shell for 2nd user
know that i should use s*** r***** bp to priv esc
i can bp whatever file i want, but whenever i try to read it, its permission denied, any help?