Zetta

A bit annoyed that the IPv6 address changes sometimes.
I found the higher port and service, queried it for enumeration.
Stuck there.
I see people commenting about bruteforcing the creds for the user? like ssh bruteforce?

I’m logged as r** but I cant go further…
I’m a bit lost for the p******s shell everyone is talking about.
I found the password but it looks like a rabbit hole.

If someone can PM for this part pls. I’m already guesssing what to do after that, this another service looks pretty interesting…

Well, finally I rooted.

This box’s pure pain for me. Big thanks to @TazWake without his support I wouldn’t able to solve this box.

##These are my hints

User

  • After initial dir listing, don’t waste your time, focus on the service.
  • Try to find a way to obtain the “other” IP of the machine. A tool is available.
  • When you have the “other” IP start the process again and you will discover a new service.
  • Fuzz this something new to discover the especial dir and brute for the password. You have to do it on your way. Be careful with the speed of the process.
  • Get the shell.

Root

  • Find across the files that you get in the first part and try to realize what’s happening with the logs and how it’s configured. If you needed, you can try to reproduce it locally.
  • Discover the DB system and fight with it.
  • You will need to get a previous shell before the jump to root.
  • Discover the common thing to everyone and use it(I waste 1 hour before I realize). Enumerate, enumerate and enumerate.

I hope that it isn’t considered a spoiler. If it’s, delete it.

Thanks!

If you need help, feel free to ask!

Type your comment> @luminougat said:

… First, I developed a poc working on a local environment, it translated to the box without issues and due to some “attacker-friendly” settings I didn’t have activated (was using the default settings on the local environment) the actual exploitation process was easier than expected… If you’re stuck at that point I guess its a good idea to mirror the environment in a certain aspect as best as you can and use all the debugging options available.

Losing my mind here. I’ve mirrored and matched almost exactly (ident shouldn’t matter?) and hit it with so many different combinations of escapes and not escapes and tweaking possible “attacker-friendly” settings and l----r from a file or from echo -e .... I just can’t for the life of me get rid of the ■■■■ escaped q----s.

Someone take pity with a nudge?

Edit: Thanks to @bumika @tmogg and @ekenas for the nudges. Sad to say I was unaware of that feature. Rooted and finally put to bed.

Type your comment> @resonant said:

Type your comment> @luminougat said:

(Quote)
Losing my mind here. I’ve mirrored and matched almost exactly (ident shouldn’t matter?) and hit it with so many different combinations of escapes and not escapes and tweaking possible “attacker-friendly” settings and l----r from a file or from echo -e … I just can’t for the life of me get rid of the ■■■■ escaped q----s.

Someone take pity with a nudge?

You need only one q… because you can use another element in other places.

Rooted cool box if you need hints pm me on discord icoNic#0097

Wow great box, bashing my head in all the way. Very cool exploits all the way around.

Type your comment> @s1m00n said:

Got user, funny so far. Curious for root. If somebody stucks, just give me a PM.

uid=0(root) gid=0(root) groups=0(root)
Great box. Good design with hints all the way. Thanks for it.

Finally got root. A great machine with a lot a techniques involved. @bumika @icoNic Thanks for your help. I learned a ton in this box which I didn’t before. Thanks for the creator.

root@zetta:~# whoami; id
root
uid=0(root) gid=0(root) groups=0(root)

I don’t know what I’m doing wrong but I’m stuck bing the r service. I’ve tried thousands of times. I don’t know the username either. First I tried the common ones like a**** or r*** but they didn’t work so I tried guessing r** and didn’t work either. Any hints?

I’m trying to b**** the r**** folders. Have written a bash script using the r**** command for listing. I’ve got a user from known p*** file. Is there other useful folders to help me get a shell ? at the moment my home made dirb isn’t finding anything

Type your comment> @chiefgreek said:

I’m trying to b**** the r**** folders. Have written a bash script using the r**** command for listing. I’ve got a user from known p*** file. Is there other useful folders to help me get a shell ? at the moment my home made dirb isn’t finding anything

Before you start b**** the r**** connection, you should get, read and understand the r**** configuration file.

@avz7 said:

I don’t know what I’m doing wrong but I’m stuck bing the r service. I’ve tried thousands of times. I don’t know the username either. First I tried the common ones like a**** or r*** but they didn’t work so I tried guessing r** and didn’t work either. Any hints?

You can use the service to dump a folder which contains what you need to find out what users are on the system.

Then a brute force approach has at least some hope of success.

@chiefgreek said:

I’m trying to b**** the r**** folders. Have written a bash script using the r**** command for listing. I’ve got a user from known p*** file. Is there other useful folders to help me get a shell ? at the moment my home made dirb isn’t finding anything

If you’ve got the right user, you are on the right track to get a shell. If you get the user’s password you can do much more with their account and this service.

The syntax is killing me. Replicated the environment and I see what is transmitted but no success with escaping. Happy for hints

root@zetta:~# id
uid=0(root) gid=0(root) groups=0(root)

It was an outstanding experience! Thank you, @jkr.

Small hint for everyone struggling you now where :

Nice one @jkr! Tu sir for a fine box. Not must of a hint for others other than when the penny finally drops on the info you have to privesc to root… you will double face palm yourself so hard for not seeing it earlier! lol!!

Nice machine, second user is the best part, root Is simple if you pay close attention to the note :wink: