Rooted. A very, very fun box. If you’re familiar with debugging code, this should be a walk in the park. Every step along the path to root was pretty clear once you foothold.
It’s been stated here already, but I think this bears repeating. You really should set up a dev environment and try to get this to work on your machine before you attempt to foothold on the actual box. Setting up your own environment allows you to see exactly what is happening behind the scenes and you won’t mess anything up for other people while you are learning how this program works. I ran into some issues footholding that made me think my method was wrong. Turns out these issues were cause by other people attempting to foothold incorrectly. If you need any assistance setting up your own environment, feel free to ask.
my first medium box. still om my way to foothold. found the very secret py file. and I know what I have to do. if I execute it standalone it works. but when I execute it on the server (on my machine locally) it doesn’t work.
Anyone here, that wants to check my syntax or give me hints on what I’m doing wrong?
my first medium box. still om my way to foothold. found the very secret py file. and I know what I have to do. if I execute it standalone it works. but when I execute it on the server (on my machine locally) it doesn’t work.
Anyone here, that wants to check my syntax or give me hints on what I’m doing wrong?
Might be worth double-checking how you are trying to inject it.
Make sure you are fuzzing the right part of the URL.
gobuster outputs a wonderful wall of text consisting of
Unsolicited response received on idle HTTP channel starting with “\n”; err=
and not even the -q flag makes it go away
gobuster outputs a wonderful wall of text consisting of
Unsolicited response received on idle HTTP channel starting with “\n”; err=
and not even the -q flag makes it go away
Maybe gobuster is not the best tool to fuzz a web page path.
thanks to @4an7o and @TazWake I finally got a shell I found another py. I guess I have to reverse that to get the password. That will be fun.
despite getting the shell was a nightmare, I like the box so far. Again I learned something new
EDIT: Got USER. And it took me way longer than it should. At least it feels like it. At first this ■■■■ mu thing sent me on the completly wrong track and then I used the script parameters worng … learning process again
Finally rooted the box, yay !
Finding the initial foothold script was easy-ish, but getting to get RCE properly did provide a lot of escape challenges ! Probably that curl was not the easiest tool
Getting User was not that hard, after writing a few lines of python to have the CPU do the job instead of my brain .
Getting root was “too” easy, not sure if the method I used was the intended one. I wonder how y’all did that ?
Anyway, thanks a lot @c1cada , that was fun !
I have problems running the python code locally, someone could help me, I understand the vulnerability, but when I sent the G** with the RS I receive a Bad Request
Did you already debug it? You need to find out whre exactly the problem occurs
EDIT: I finally ROOTED that thing. that very last part gave me more than a little headache. really have to learn to better watch out
foothold:
fuzz what you don’t know, once you get it. you will see the window.
replicate the process to see where the rocks you throw land.
once you know, it’s just a matter of syntax
user:
with everything I have at home what can i deduce about this?
it’s not hard math, really it’s more similar to deducing that if
3 + 2 = 5 then 5 - 3 must equal 2
root:
if you say the magic word the only way you know
something random is going to happen somewhere very specific
might want to throw a net rather then trying to catch it by hand.