OSINT + Explore as much as possible
As you move next, find something which may not be openly accessible but does exist there
Exactly understand what you have (very important!)… misunderstanding it took quarter hour of mine until i figured out it was a piece of cake to privesc to root from J****a
Nice box, pretty easy actually but not trivial. Lots of interesting things to discover, sort of logical configurations and escalation. Little tricks to go from a stage to the next, this is what I felt… rooting, super easy, but I have to admit that a nudge from this forum helped a lot to reduce the required time to discover the “right command”… after that, the exploit is a piece of cake!
I am ashamed to ask, but I think I need a hint for the curl command (I am aware I could use something else) . I have literally been through all the pages and curl hints, yet I’m still doing it wrong…
I have found and understood the .**p scripts, and also found an interesting port. I know it runs locally, but even with all this information, I can’t figure out how to write the command precisely. It either returns me the script (so I’m not at the right place) or a “connection refused” error. I have tried a bunch of different syntaxes, to no avail…
I hope it’s the last time I ask a question for this box
I am ashamed to ask, but I think I need a hint for the curl command (I am aware I could use something else) . I have literally been through all the pages and curl hints, yet I’m still doing it wrong…
The general syntax to make a request with curl is: curl http://ipaddress:port/page.php There are other things you need to do if you want to send things like credentials such as curl -u username:password http://ipaddress:port/page.php (this is generally bad practice as the password gets stored in the history file but its acceptable for CTFs)
Hi there, I got the w**-***a shell. I see that the two users are kinda “linked” together and I know that I can now make some http requests to a private server on a strange port. Can this be the way to go? The place in which I landed seems so messy.
Since I’m pretty new to this website, I would like to ask if files inside the box can be modified.
@TazWake Well, I’m confused myself… I read so many questions/answers about this…
Yes, I tried what you said but get an error: Load key “id_rsa”: error in libcrypto.
Permissions for this .pem file are -rw-------.
Am I using the wrong key ? I tried with the hashed one too (.txt format), but get an invalid format error.
Or maybe I missed a step? Isn’t the passphrase b*********s ?
@TazWake Well, I’m confused myself… I read so many questions/answers about this…
Yes, I tried what you said but get an error: Load key “id_rsa”: error in libcrypto.
Permissions for this .pem file are -rw-------.
Am I using the wrong key ? I tried with the hashed one too (.txt format), but get an invalid format error.
Or maybe I missed a step? Isn’t the passphrase b*********s ?
Thank you!
Most of the time, I’d say the likely cause is that there is something wrong with your key. However you have got the correct phrase something must be working.
People change important files on OpenAdmin all the time so it is possible that someone has helpfully broken the box and you need to reset it.
Hi folks!
I was able to get first shell by running a 4****.sh script of user w**-a. Afterthat done a lot of enumeration and i got a pv file in a directory. There is a 32 character hash c9*********f in /o**/ directory. Now i have used john and hashcat both to crack this hash but in both cases im fail to crack this hash. Any hint for next stage
Hi folks!
I was able to get first shell by running a 4****.sh script of user w**-a. Afterthat done a lot of enumeration and i got a pv file in a directory. There is a 32 character hash c9*********f in /o**/ directory. Now i have used john and hashcat both to crack this hash but in both cases im fail to crack this hash. Any hint for next stage
You’ve probably strayed too far from the initial RCE point. Use ls -al, ignore any recent files and look through the files and folders you can find to see if there is any interesting loot you can use.
It’s also worth enumerating the users on the system.
is it possible to get the special key for user j***a without using john?
and could someone please DM me why the cl command does work for the m.php file?
@TazWake I wish you were right, but sadly I am just retarded
I was trying to SSH from my kali user (I had copied the key there).
After correcting my error, I was able to get both flags!
I’d like to thank you @TazWake for your help and your patience… I clearly wouldn’t have done it without you!