Registry

Not like this box is hard or easy or whatever, but most of the things I’ve found through the initial foothold has led me nowhere or to what looks to be a deadend, and…I’m confused to be quite honest. Can someone help out? If so, PM me.

@Dzsanosz said:

I would really appreciate some nudges how to get w**-a from b. Thanks!

There is an enumeration script which gives you some useful information. Then you may need to take a step back and dig deeper with your web enumeration fu to find a place to use it.

Once you’ve used it, fairly typical attack gets you a shell.

Type your comment> @JSONSec said:

Help!

I’m stuck on the last step and it’s so frustrating. I have a w**-*** * shell. I can’t figure out how I am supposed to use the r***** command :frowning:

I am also stuck at the same place. I know what i need to do, but dont know how to do it. Can anyone help me on this?

EDIT:
Got the root (file I mean). Thanks to @CodingKoala for providing hint towards root.
Overall - User seemed quite easy than root. Restrictions on box made it difficult.

My Hints:
User 1: Find what software/tool you are working on and enumerate. There is a good article which shows step by step approach to enumerate. Explore the things which you have got. You will find useful data within to get user1
User 2: This is bit tricky. Find login page. Creds can again found in the data you got from User 1. Upload things and get the shell. (Method I used is I think different from others. I did not face issue to make things work fast. My uploaded data (file) were there for long time.)
Root: Again tricky as I did not know methods to bypass/forward things. You can easily find what you need to exploit, but exploiting it is difficult.

If required any help, PM me.
If I have spoiled anything, please report

Type your comment> @grav3m1ndbyte said:

Not like this box is hard or easy or whatever, but most of the things I’ve found through the initial foothold has led me nowhere or to what looks to be a deadend, and…I’m confused to be quite honest. Can someone help out? If so, PM me.

I was able to get the user flag yesterday, but need direction on what needs to be done after. If anyone wants to help, PM me.

Need help for w**-d***, can’t get code execution. If anyone wants to help I’ll appreciate it :smile:

Edit: Rooted! Thanks @CodingKoala for the nudge.

bolt
uid=0(root) gid=0(root) groups=0(root)
Wed Mar 11 01:58:17 UTC 2020

Feel free to pm for help!

can someone give me a nudge on initial foothold? I found a couple files in i****** directory. Found a login page for b***. Not sure what direction to go. Wasted a ton of time researching d*****, still not sure if that is the correct path

I’m still fighting with the second user, but I’ll ave a question for the seasoned pentesters. I have created a setuid.c file (I compiled it), which sets the suid and guid to w**-d***, I managed to upload this file through the webapp (via webshell), so the owner of the file is w**-d****, I set the suid bit, I ran the file with user b***, and I could not escalate to w**-d***. Why is that? I checked the fs, and should not be there a nosuid mount. Any Ideas?

An “x509: certificate signed by unknown authority” error indicates I’m on the right track?

I think I got user the not intended way, I was able to ssh in with what I pulled from the blobs, then reseted the box because it was giving me issues and now I can’t ssh :neutral:

EDIT: Disregard - it was the intended way, I had a typo :blush:

Type your comment> @nando740 said:

An “x509: certificate signed by unknown authority” error indicates I’m on the right track?

The certificate will give you a clue about what website to visit

Type your comment> @gu4r15m0 said:

Type your comment> @nando740 said:

An “x509: certificate signed by unknown authority” error indicates I’m on the right track?

The certificate will give you a clue about what website to visit

I visited 2 API from the registry. The above error is when trying to d*** ln or d** p***.

@nando740 said:

I visited 2 API from the registry. The above error is when trying to d*** ln or d** p***.

The certificate error/warning is irrelevant, it is expected as the certificates are self-signed
Are you using wget to download something? try –no-check-certificate
If you are using curl, try -k

Type your comment> @gu4r15m0 said:

@nando740 said:

I visited 2 API from the registry. The above error is when trying to d*** ln or d** p***.

The certificate error/warning is irrelevant, it is expected as the certificates are self-signed
Are you using wget to download something? try –no-check-certificate
If you are using curl, try -k

I can download things. But trying to pull from the registry with d***** p***, always gives that error. Same for login to the registry with d***** l****.

Are the files I upload suppose to disappear? Can’t find a way around it :neutral:
Any nudges?

Type your comment> @gu4r15m0 said:

Are the files I upload suppose to disappear? Can’t find a way around it :neutral:
Any nudges?

Yea, gotta be fast.

Finally rooted. Thx for this cool box!

Solved my problem. Got user. On to root.

Does any1 have some FAIR documentation how the f* the r***** works? I cannot set up my server :S

Stuck on a login page for the c*s. :confused:

Done!

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

  System information as of Tue Mar 10 05:37:54 UTC 2020

  System load:  0.0               Users logged in:                1
  Usage of /:   5.6% of 61.80GB   IP address for eth0:            10.10.10.159
  Memory usage: 23%               IP address for br-1bad9bd75d17: 172.18.0.1
  Swap usage:   0%                IP address for d----0:         172.17.0.1
  Processes:    159
Last login: Tue Mar 10 05:37:27 2020 from 10.10.14.36
root@bolt:~# sha256sum root.txt
029b18b4c0e2194ef4be039b9e362d32522a5b8ab5141af4487293e338d763fe  root.txt
root@bolt:~#

Great box, love it! Thank @deluqs 's help