Obscurity

Can somebody tell me what version of python (2 or 3) is used on the “0bscura” server ?

I started this box last night and it was driving me crazy, I knew what to look for (you should already know it by going through this thread and the website), but I couldn’t find it, tried Dirbuster with all the wordlists with no success until it clicked. So, here is what I recommend:

Initial foothold: use Dirbuster URL fuzz instead of Standard start point.

just rooted! my privesc was not the fanciest tho, I’d love to hear how others approached it :smile:

root@obscure:~# id
uid=0(root) gid=0(root) groups=0(root)
root@obscure:~# 

Hello,
I’m new to python and need some help… I got the server code and want to test against it executing it in my box. I need some help to trace how the code gets executed. I try to run it from command line and it returns with no error nor answer, and does not stand as a server (executing in the background and listening on a tcp port) and no output!
Seems like if the code just defines the classes but there is not a “main” function which launches and stays running! Someone to help creating this “main” function?

@101pipers you can do it that way or you can make it easier on yourself and launch interactive python as all you need to test locally are 3 lines of code already within the script.

Thanks @clubby789 :slight_smile: I enjoyed the machine very much ^^

Hello, I’m having some problems with the SSS.py file.
I actually understood that the vuln is in that ex** function however I’m not able to exploit it.

Someone can give me a nudge?

Just rooted.

It’s indeed a great box to test your problem-solving skills.

Initial foothold is as basic as typical enumerations, but getting to user and root is the whole point of this box.

Feel free to PM me if you require any help on user and root.
Happy to help :slight_smile:
Hack The Box

I started local server with SSS.py, but I do not get any response. I use urllib when sending payload and all I get is
requests.exceptions.ConnectionError: (‘Connection aborted.’, BadStatusLine(‘No status line received - the server has closed the connection’,))
even for simple request of index.html
I know that server script runs, because I can print what happens during request handling, I just do not get any response. I think I copied folder structure correctly, so at least I should get 400 or 404 page. Anyone care to nudge me in right direction?

Nevermind, problem was with my Python version and urllib.parse.unqoute.

Rooted. First time for me doing any RCE and foothold was absolutely brutal. Thanks @Zaitchev for all the help, or I wouldn’t have figured it out. User was easier and root came pretty quickly. I need to work on my python and study up in SQL injection.

Can’t figure out how to reverse the crypt process. I have the pieces running through my head but don’t know how to modify/trick the script into giving me what I need.

Any nudge is greatly appreciated.

Finally rooted after three days. ■■■■■■■■, that RCE was brutal. But hey, at least I discovered VSCode has very nice debugger with Python support :wink:
This machine taught me that no amount of obscure code could hide vulnerabilities. I did not understand fully any of the scripts, but pieces were enough to own it bit by bit. I’m mostly happy that I learned some Python and it’s actually possible to use it with good result even for complete noob like me.

Rooted

Feel free to pm for some tips!

Hi guys. I found the python script but I can’t get reverse shell. I tried with burp decoder but nothing. Can someone suggest me a guide to “build” the payload or something similar?

Rooted!
root@obscure:~# id
uid=0(root) gid=0(root) groups=0(root)

Thanks to EvilT0r13 for nudges.
Few Hints for those who are stuck… Feel free to mark spoiler if it is!
Foothold : You know the file, but don’t know the parent dir… FUZZ accordingly.
User : No need of any custom scripts. Use common sense with encryption<->key<->decryption. You have everything you need.
Root: There are 2 ways to get root. Understand the script. Look what it does and where it does and how can you catch it! Once you catch it, you know what to do with it.

Nice box, but totally CTF like. Thanks to clubby789.

Feel free to PM if need assistance.

huhuhu it takes me 2 weeks to freaking root this box… :frowning:
okay here’s some hint!
foothold: just enumerate what you see!!
note: look through it and google everything! if you are just a noob like me!
user: enumerate and follow the order of the program that you find!
note: dont forget to add “$()” and then cat it!
root: look at the code!
note: seriously look at the code and google everything that you see!!

Rooted!, great box loved the custom stuff!!

The initial foothold was satisfying to get by testing everything and developing a working exploit!
A tip for user would be using “secret” to give the important argument.
for root id say, understand the permissions you have on the location being used to perform the weird operation and how you can manipulate it.
Good Luck! PM for nudges

Just rooted this, my favorite so far. Learnt alot, give me a message if you need a hint.

Type your comment> @brueh said:

  • you know the child!
  • you want to fuzz the parent-directory!!!..
    what should the command look like?..
    … /FUZZ/child…

<3

Rooted! Very nice box. the foothold and the not working Gobuster took me some time, but with a response injection i could fix it. The RCE was a nice experience. Decryption was also funny and a nice idea. the root part was the easiest one.

if anyone need a hint, just let me know.