Patents

Finally popped that initial shell as well

On root while fuzzing something, just found a file named t** with t****e inside, but no idea what I did that made that… Any nudges are appreciated.

stuck on www-data…

Rooted! This one was pretty tough at every step, but I learned so much and, now that it is done, I can say I enjoyed it. I wouldn’t have said that during the experience. :wink:

For those considering taking up the challenge, here are some hints to guide you on your way and let you know what you are up against. This box is three roots for the price of one.

  • Initial: XXE
  • Initial shell: Poison (I struggled here for a while until I reset the box. If you aren’t getting what you think you should be, you might consider a reset.)
  • 1st root (user.txt): I *** with my little eye
  • 2nd root: RE/PWN (also took me a while because there are many paths that can be taken, but only one clear winner. Thanks to @v1p3r0u5 for the help here.)
  • 3rd root (root.txt): hop on and ride the whale to glory!

Thanks to @gbyolo for creating a nice, challenging machine. They are a pain to work through, but very rewarding to finish. I almost quit on this one many times, but I’m glad I didn’t.

Stuck on the way to root :frowning:

■■■■. I’m riding the whales including the hidden ones; just can’t find the flag.

Edit: Found it

finaly got x** and now playing arround with LFI

Could someone give me a nudge on the wordlist used to find the changelog?

I’ve tried this so far:

  1. dirb with -w to ignore errors but it stops half way with too many errors. Tried multiple wordlists.

  2. Gobuster, well I didn’t know that it wasn’t recursive so that’s done :slight_smile:

  3. Dirbuster with same wordlists as num 1, this is looking better and finds more than dirb, however eventually crashed with out of memory exception.

I’m still out in the cold with this one.

Even tried to parse the _store files as a dit

i got shell as ww***** and i saw some password flying around with p**** but it doesnt works with the user any hint ?

edit: got it

Type your comment> @sazouki said:

i got shell as ww***** and i saw some password flying around with p**** but it doesnt works with the user any hint ?

edit: got it

Hi, may I ask if you managed to find the changelog file for the foothold or did you just go for the exploit?

Cheers

Rooted. What a battle. That is the hardest live box I have done to-date. You are a genius @gbyolo. I don’t know how you do it, but props for creating a menacing machine. I loved it.

To everyone thinking of starting this, be warned… This is the longest machine path I have experienced. If you are not up for the challenge, this is your opportunity to turn back now…

If however, you are like me, and you love challenges like this, press onward. There is PLENTY of fun to be had with this machine. I don’t know if I can even provide hints because this was literally such a beast. Once again, kudos to the creator – I learned more than I ever thought possible from doing this machine.

Thanks @farbs and @seekorswim. I’m glad that you liked the journey! Good job.

@jstnlmb2008 said:

Could someone give me a nudge on the wordlist used to find the changelog?

So, this took me about a week but I found one in the SecLists collection for discovering web-content.

Its a large one so you might need to disable warnings.

I feel like I’ve spent an entire day attempting to get the initial shell. I can get L*I and read useful stuff, but I can’t turn it into a shell.

@gbyolo - I might be cursing you right now, but this is an awesome box. Well done! If I ever get a flag I will be sooooooooooooo pleased :smile:

Heya guys , i cannot find the changelog file , only some j**n with installed packages but I cannot understand how that can help me, can anyone please nudge?

Type your comment> @seke said:

Heya guys , i cannot find the changelog file , only some j**n with installed packages but I cannot understand how that can help me, can anyone please nudge?

Hi, I too needed a nudge for this.

Seclists is the lists you need to use, it’s not easy to find though and dirbuster gave a lot of errors along the way.

I may have miss read the changelog but I have to say that it didn’t help much in the next stage.

I’m still trying to get the foothold part worked out but this box needs dedication.

If you can successfully complete the first part, you can continue without the need for a changelog file. I personally thought that after spending some time for the first episode, it might have been a rabbit hole and I gave up. but then I understood and completed it. (I opened Windows and installed a add-in for the relevant document. + I used a chrome extension. I didn’t care about the error it gave while using and saving the Chrome extension.)
If you do this part, you can find your way with the help of standard linux files …

Ok so I’m getting closer with the xxe but I keep getting conversation errors when I add in the payload.

If I remove the exploit the file uploads.

I’m just doing lfi at this point, I’m thinking permissions or I’m just over doing something.

Type your comment> @jstnlmb2008 said:

Ok so I’m getting closer with the xxe but I keep getting conversation errors when I add in the payload.

If I remove the exploit the file uploads.

I’m just doing lfi at this point, I’m thinking permissions or I’m just over doing something.

Don’t care about errors…

After a break, back to this, and stuck on www-data.

Any nudges? thanks