Traverxec

Type your comment> @EDEWAN said:

Type your comment> @th3g3ntleman said:

Type your comment> @EDEWAN said:

Ok I found ~d**** directory… Reading manual and config file I guess that a I need to find more files inside this dir that I cant see but exists… Any hint?

@EDEWAN You need to look into man page and conf page closely and see what else can you ls . There is a folder inside the home folder which you as a web server have permission to. You need to find that

I read all the manual so close and the conf file too but im stuck… I think is about the ht****ss file but I cant find anything else in D***** home folder…

Ok. finally I got it… I think its because I didnt understand well the meaning of the public homedirs… I was stuck trying it throught the web that public homedir instead command line…

Type your comment> @RawDawgPAWG said:

Anyone know why my $$$ keys arent working. Is there something else I need to do to get them to work?

try copying the priv key to your system then
ssh -i /root/priv_key *****@

@pwonedLegate said:
Type your comment> @RawDawgPAWG said:

Anyone know why my $$$ keys arent working. Is there something else I need to do to get them to work?

try copying the priv key to your system then
ssh -i /root/priv_key *****@

Type your comment> @DiamondBlitz said:

Hey, can someone help me. I got to the initial reverse shell but i’m having trouble with user.

Start with LunixEnum.sh once on the box

Type your comment> @ReT said:

i cant crack the hash found in .h*****s . john wont even attempt to crack it.

base64 it, then base64 -d, then ssh2john then john if ssh key

Type your comment> @Strigi said:

Hey Guys,
I need a nudge in the right direction.

I’ve used the exploit with a .py script (it seems I’m not that good with MSF, I’ll need to work on that.) .

I’ve found the hash in the location described in the conf file and got the N…e pwd.
I also know about the existence of the ~… page which block my entrance.
With effort I’m trying to find maybe folders/files underneath this folder but I feel like I’m on the wrong track.

No clue for root, but that will be for later on.

please help me!

~ p.s. I’ve read through all the 41 pages and I’m just not seeing what I think I’m supposed to see in the conf/man ~

dirbusting is a rabbit hole. Run LinuxEnum.sh and look for the tasty bits for keys

Getting initial foothold was pretty easy, getting user, slightly challenging after enumerating the OS. Root was downright silly IMO. PM me if you need a nudge.

@grumpychris said:
Type your comment> @ALK said:

For people struggling with root. remember its not always a good idea to maximize ur screen :wink:

lol, made no sense, and then it did. Thanks for the hint @ALK !

Yea, I was like WTF??? No way.

Finally rooted…

FootHold: CVE.

USER: Really important ther service Manual. I get stuck in user because I focused ressearching files and folders on the webserver… Askign and reading previous comments here tried by console…

Root: Well didn´t take too much time to find the files I needed but understanding what to do with them was more difficult… After searching in google I found the way… GTFO…

Respect Root, I would like to know how exactly works… If someone could explain PM please!

Type your comment> @ac884b said:

My feedback for Traverxec:

Root*: quick enumeration would lead you to something… if you are not familiar google it, try it locally and go back and root the box :slight_smile:

  • Make sure you do not maximize your terminal screen a lot … sometimes LESS maximizing is better :slight_smile:

PM if you are stuck

This was the best hint for me regarding root.

@th48th said:
I can’t seem to get a reverse shell.

@nyckelharpa said:
Got root. I’m a novice and this was quite difficult for me. It required some techniques that I don’t fully understand and only figured out by pure chance and the hints here.

My hints (definitely also take a look at the other hints!):

  • Foothold: Enumerate the machine. Anything more would give everything away. Don’t think too complicated :smile:
  • User: You might be able to find credentials on the box (that you need to crack first) and which might seem like you can’t use them anywhere. Don’t work on this too long. Finding the right place to use them is difficult and not necessary (but it is possible to use them!). Instead, have a look at the files of the service you exploited. Also, a hint which might seem paradoxical: Sometimes it is possible to access directories that themselves are in a directory you cannot access.
  • Root: Once you have user privileges, closely examine what is right in front of you. You might find something that contains interesting commands. Minimize the width of your terminal (hard to believe, but that’s not a joke!), execute and then GTFO (also not an insult or a joke, Google and other hints are helpful here).

PM me for advice. I’m willing to help. I just spent the better part of the day getting crazy because I couldn’t figure out what to do :neutral:


I would be very grateful if someone would be willing to explain to me WHY and HOW the technique to get root works. I don’t understand it at all. I can explain all of my steps and what worked for me and what didn’t. I’d also be interested in learning how to own root without resizing and how to defend against this resizing trick.
Thanks for everybody reaching out in advance! :blush:

the journal command (and several other executables) has a SUID permission set that allows it to be ran as root from another user. Shrinking your screen throws the command output into some type of display that you can run shell commands from. I think it is a know issue if the systems SUID commands are not set properly, you can exploit.

Type your comment> @uncuscino said:

Type your comment> @acanto95 said:

Just rooted the box.

My god, root was easy but it took me 2 days to find how.

All I can say is the resizing method is not the only one. What helped me was GTFO and less. If somebody did the resizing thing can you tell me how you did it?

Feel free to drop me any PM for hints!

wait wait wait, you know about another method instead of the resize? pm me please, I’ve done it with the resize

Following as well, had to resize but got root, quit after that but am trying to crack root and user pw just for fun.

If anyone is awake and have the energy i would love a hint for the root part… ive read the comments but i just dont get it … :confused:
Edit: Finally rooted!

Finally rooted! Feel free to PM :slight_smile:

I have absolutely no idea about that resize thing. I’m resizing my window but nothing more happens.

Edit: found it. Cause : doesn’t work on tmux. Kinda disappointed by this box.

Type your comment> @Raekh said:

I have absolutely no idea about that resize thing. I’m resizing my window but nothing more happens.

actually worked… rooted!

this box is giving me anxiety. at first it wasnt working at all with all ports filtered/blocked (even after a restart), then it started working out of the blue. then I couldn’t do anything with the foothold shell, and then I could. It’s so frustrating and I know it’s not meant to be part of the experience.
I’ve been reading the forum and other places to try to figure out what I’m doing wrong, and being massively spoiled in the process. (my own fault)

the best hint i can give for rookies (like myself) is that yes, sure, read the docs (for me one of the docs wasnt loading at all), there are some decent hints here, but where do you use these hint? I dunno, try the web, try the shell, try wherever you can. dont get distracted getting one to work because it might work another way.

followup, is there a way to get tab completion with the foothold shell? (this is more of a general question)

Type your comment> @giantruby said:

followup, is there a way to get tab completion with the foothold shell? (this is more of a general question)

Yes, python method works just fine.

I have managed to get what i believe is the correct hash and cracked it, however when attempting to ssh with the credentials its saying access denied. any ideas anyone?