Sniper

Great box! Really learned a lot on this one for the actual execution of the different steps.

Finally got root.

User was hard, but for all the right reasons and I really enjoyed it :smile:

Root was hard for all the wrong reasons :neutral:

  1. Very unrealistic
  2. Takes 10 seconds on google to find a pre made script that generates a perfect payload for the file you find with no alteration or understanding required.
  3. Relies on you taking something in the boss’ note very literally. Which I didn’t… I thought it was just a bit of fluff at the end of the note, not a direct instruction, so spent hours looking for somewhere else I could put the malicious file.

But overall I still like the box because of how fun and challenging user was :slight_smile:

I have been stuck on root for a while. Figured out about c*m files, made one that works fine on local test and got the hint about where to drop it. It gets clobbered fairly quickly there, and no matter how I try to run it nothing happens. I must be missing something but no clue where to look now.

Tried everything else, including UAC bypass, but c***s does not have privileges for for that to work.

I have tried everything. Can anyone show me how to escalate from ixxx to Chxxs?

Type your comment> @ausldavid said:

I have tried everything. Can anyone show me how to escalate from ixxx to Chxxs?

Use the exact username.

I mean iusr to Chris

Type your comment> @ausldavid said:

I mean iusr to Chris

I know. You may know the command but use wrong (not exact) username. You may not know the command.

PMed you> @bumika said:

Type your comment> @ausldavid said:

I mean iusr to Chris

I know. You may know the command but use wrong (not exact) username. You may not know the command.

@bumika said:
Type your comment> @ausldavid said:

I mean iusr to Chris

I know. You may know the command but use wrong (not exact) username. You may not know the command.

PMed you. No idea what to do next

@bumika PMed you. No idea what to do next

Type your comment> @Caspar said:

Hi, I found the LFI but I’m not able to read some files outside the current folder. I tried some wrapper functions and many more. Can someone pls. give me a hint what I’m missing. Thx.

Absolutely the same stuck… Pls help someone ?

Type your comment> @pipi said:

I have been stuck on root for a while. Figured out about c*m files, made one that works fine on local test and got the hint about where to drop it. It gets clobbered fairly quickly there, and no matter how I try to run it nothing happens. I must be missing something but no clue where to look now.

Tried everything else, including UAC bypass, but c***s does not have privileges for for that to work.

when you say it gets clobbered, do you mean the file disappears when you drop it into that directory the boss mentioned? That’s fine, that is what is meant to happen. Again not very intuitive or realistic, but I guess it is meant to simulate the boss collecting the file. So yeah, if you have your C** file setup correctly, drop it in there, wait for it to disappear, then a few seconds later your payload should be executed (it did take about 10 or 15 seconds if I remember rightly and I thought maybe it hadn’t worked)

@bumika Just got the user flag. Thanks bumika for hints

Has rooted by myself. Thanks for all who have guided me in the progress

rooted, I have all good stuff to do it, but microsoft tool was not working properly and made me struggled with file crafting. I have used a PS script instead and… Work perfectly… Thanks for this box. Thanks to those who tried to help me with this last part.

Hi all, I would appreciate some help… I´ve found the instructions file and want to download it to my machine (kali). For some unknown reason I´m not being able to do it and I´ve already tried a lot of options… Could someone give a hint about the command I should use? Thanks!

This box was decent, although my god it took me ages!

The biggest learning point imo is the priv esc from user1 → user2. On the flip side, the exploit used to gain root, for me at least, was massively inconsistent in that sometimes it would work and other times it wouldn’t. There also seems to be no real concrete way to verify whats happening on the box when you get to that stage.

I rooted it in the end, but I can’t help but feel the path to get there is a bit hit-and-miss, which isn’t ideal when you’re already dealing with something that can be considered complex.

Finally rooted this box. I agree with @VbScrub, the root is a bit weird and not very realistic. Still, glad to get it done finally, and user was a good learning experience. Thanks to @vbscrub for the final hint for root.

Anyone around who could help with the root portion.
I have a weaponized file I just can’t seem to copy it over

I really liked the challenge,

It led me to think a little more about applying what I have been learning, creating an injection script, using various technologies to achieve an end and especially enumerating.

When I felt exhausted, I asked and I saw that it was fine, so I leave my clues to help the one who is still in the dark.

Start .- As everything is to enumerate, the key would be to look for the window and with a hook inject the shell.

User .- At this point you should already have credentials and clearly validated, so the next thing is to use them.

Root .- This took me very little time to think about it, and the enumeration had given me the clue, I just couldn’t find the place of the c **.

Have fun!!!

P.S. Thanks to the creators for this machine …