Obscurity

Type your comment> @Darvidor said:

Specially the part to access the shell.

Stuck on this for days. I know the vulnerable part of sss.py but can’t find a way to reverse it…

I’ve been stucked for days in SSS.py, i can’t find a way to escape the vulnerable function :frowning:
Anyone can help me?

OK I’m pretty stuck on user. I’ve used two different methods to get the key, got the same result both times and it works with c****.t**/o**.t**. However, when I try to use that key to crack the pass, I get a password that doesn’t work on s** and BS**.py gives me an error related to e**/s when I try it there. Can someone give me a nudge?

EDIT: I figured it out… sort of. I was running the scripts in with an outdated version of the language. Once I switched to the same version that’s on the box, I got a different result that looks correct, but is still getting rejected from s** and B***S.py.

Type your comment> @D3KAL3 said:

Type your comment> @Darvidor said:

Specially the part to access the shell.

Stuck on this for days. I know the vulnerable part of sss.py but can’t find a way to reverse it…

I sent you PM

Yeah !! Rooted !
That was a fun box, not too difficult in my opinion. The hard part was to find the first file.

Initial foothold : FUZZ with the information you found on the webpage.
User : Read the code, understand it and you’ll be ok. I didn’t use the B*****S**.** other than to understand the algorithm.
Root : Read the code, understand it and… well, be quick ?

I think I didn’t got root the intended way. Is there anyone that want to discuss the intended way ? Please, PM me.

Type your comment> @134k said:

Yes me. Restart your pc or vm and then it will work again. Its because of openvpn I think> > @shotop said:

I feel like this box is really difficult to work on - not because of the challenge of finding the user and root flags, that part is awesome, but because it keeps resetting. I feel like I log in, import a more stable python shell, and then maybe have 5 seconds to execute a command before it freezes, sleeps for 30sec, and so on. Is everyone else experiencing this?

■■■ - I took your suggestion, restarted, and now things are SO MUCH better. FML I thought the constant restarting was part of the challenge. THANKS!

Edit: Got root. Feeling great right now. Thanks for a box that def put me out of my comfort zone.

My root hint: Gotta figure out a way to cast a net and capture a fast moving fish.

Finally Rooted.
It hate this machine. I suffer a bit with it. I also love it due I learn a few interesting things to add to my bag.
Thanks to all for nudges, suggestions.
The hardest part was getting the shell for me. It was something new.
User was not easy. It is a matter of read the code.
Admin was a bit difficult to catch something on the fly. My lack of linux knowledge point me to try things that doesn’t work. but once you realize (thanks to advice) how it is not much complicated.
@clubby789 I dream with Obscurity I swear it ! :smile:

i got initial shell, how to get to the user? i already found some file in tmp dir.some hints pls

@n00py said:
rooted this one.

Was a nice one, not so easy for me. Lost myself in fiddling a py script to get user credentials, but finally got it.

Every hint was already given in this forum but one little extra might help someone: read the format for the arguments of a script very carefully! One might be a file input while the other requires plaintext. Result might be messed up if not done right.

Root solved with a little bash script. Was the easier part for me.

If you need a little nudge feel free to send PM

Thank you for the file input nudge, that was staring me in the face the whole time.

Lol every single line in the .py file is jibberish to me…how do you actually learn python like that and not the silly print hello world tutorials…Anybody got a source that can help with what’s going on in this script or what I’m even supposed to do with it or the info in it…Hate when python experts are like this box is so easy blah blah

I finally figured out my struggles with getting user and I am kicking myself right now. I spent hours over the last few days running and re-running the crypt stuff and getting the same results over and over again as I pulled my hair out. I finally realized the filesize for my local copy of pr.t** was different from the one on the box. It only saved half the file for some reason. So if you’re saving anything locally, double-check that it saved correctly. And if you’re able to do something on the box instead of downloading everything, maybe just do that.

For .py beginners, is it necessary to install Flask in order to debug/test locally, or is there an alternative method?

I’ve added the code snippet from the Flask quickstart guide to the first .py file you discover, and although the server runs the code ok, when i browse the page, I’m seeing a “view function did not return a valid response” error in the console (and a 500 Internal Server Error in my browser). So, before I get too far into debugging and correcting that, am I heading down a rabbit hole?

Rooted intended way
thanks for the nudge on init RCE
was difficult for me cause i didnt any parsel
send pm for hints

Was a lot of fun, but also some hard work. In hindsight everything could’ve been done very much more efficiently, but I guess that is the case for EVERY achievement in retrospective.

I rated 7/10 for userflag and 3/10 for root, but 7/10 doesn’t really reflect the complexity it only is that high, becuase of the really long time it took me to get onto the right track. After first analyzing the server-script I got the wrong idea for exploiting a vulnerability there. Then I saw the right vulnerability to exploit, but still wasn’t totally on the right track, because I was blinded by what only seemed to be obvious but wasn’t correct at all. Is it a red hering?

Finally I saw a better opportunity of getting remote-access as the web-user, and from now on the rest went relative smoothly.

After having access as ssh-user enhancing privileges was not a big deal at all here.

Really a nice challenge - if only I’d seen the more promising way a bit quicker!

@paddanada said:
For .py beginners, is it necessary to install Flask in order to debug/test locally, or is there an alternative method?

I’ve added the code snippet from the Flask quickstart guide to the first .py file you discover, and although the server runs the code ok, when i browse the page, I’m seeing a “view function did not return a valid response” error in the console (and a 500 Internal Server Error in my browser). So, before I get too far into debugging and correcting that, am I heading down a rabbit hole?

I didn’t use a debugger locally. The script itself is tiny and well structured, I played around with it a bit, wrote down its behaviour. You have to look out for the most promising vulerability. Only that took me a LOT of time.

Rooted.
Foothold: Any wordlist is fine. View the page source and see if you notice anything strange when you compare what you see there to the results of running dirb with the standard wordlist. That was what tipped me off. Once you find the file, examine the code, run it locally and see what happens. Then apply that knowledge on the real thing.

User: Read the code and understand it. You can either write a program to undo it or find a trick that undoes it without you writing any code. Either way, make sure the files you’re working with have the same filesize as the ones on the box. Or better yet, just do everything on the box. I wasted a ton of time not realizing that certain files copied incorrectly.

Root: As always, examine the code. Look for the thing you have to catch. Then figure out how to catch something that moves faster than your hands.

Feel free to message me for hints.

I feel like I am very close to user… Someone mind shooting me a msg so we can discuss where I may be going wrong?

I don’t really know what the problem is. If someone could point me in the right direction, that would be great. I have been at this stage for much longer than I care to say.
I am having problems with the initial shell.

What I do know:
I have confirmed RCE on the box.
I have several DIFFERENT payloads that all work perfect locally, but when I try to run it remotely it does not drop a shell. Ever.
Please help me.

I have the key (pretty sure it’s av), but when I use the key to decrypt p*******.txt I get an incomplete output. It looks like a pass but the last 4 chars are munted. I’m running the script server side so there should be no issue with the file. Any hints? it’s driving me nuts. Are we supposed to brute the last 4 chars?

@v0yager said:

I have the key (pretty sure it’s av), but when I use the key to decrypt p*******.txt I get an incomplete output. It looks like a pass but the last 4 chars are munted. I’m running the script server side so there should be no issue with the file. Any hints? it’s driving me nuts. Are we supposed to brute the last 4 chars?

I was facing the exact same problem.

Without spoiling: Don’t trust your eyes on this one, take another look at the encrypted file in vim.

Feel free to PM me if you need another nudge