Obscurity

Finally rooted after three days. ■■■■■■■■, that RCE was brutal. But hey, at least I discovered VSCode has very nice debugger with Python support :wink:
This machine taught me that no amount of obscure code could hide vulnerabilities. I did not understand fully any of the scripts, but pieces were enough to own it bit by bit. I’m mostly happy that I learned some Python and it’s actually possible to use it with good result even for complete noob like me.

Rooted

Feel free to pm for some tips!

Hi guys. I found the python script but I can’t get reverse shell. I tried with burp decoder but nothing. Can someone suggest me a guide to “build” the payload or something similar?

Rooted!
root@obscure:~# id
uid=0(root) gid=0(root) groups=0(root)

Thanks to EvilT0r13 for nudges.
Few Hints for those who are stuck… Feel free to mark spoiler if it is!
Foothold : You know the file, but don’t know the parent dir… FUZZ accordingly.
User : No need of any custom scripts. Use common sense with encryption<->key<->decryption. You have everything you need.
Root: There are 2 ways to get root. Understand the script. Look what it does and where it does and how can you catch it! Once you catch it, you know what to do with it.

Nice box, but totally CTF like. Thanks to clubby789.

Feel free to PM if need assistance.

huhuhu it takes me 2 weeks to freaking root this box… :frowning:
okay here’s some hint!
foothold: just enumerate what you see!!
note: look through it and google everything! if you are just a noob like me!
user: enumerate and follow the order of the program that you find!
note: dont forget to add “$()” and then cat it!
root: look at the code!
note: seriously look at the code and google everything that you see!!

Rooted!, great box loved the custom stuff!!

The initial foothold was satisfying to get by testing everything and developing a working exploit!
A tip for user would be using “secret” to give the important argument.
for root id say, understand the permissions you have on the location being used to perform the weird operation and how you can manipulate it.
Good Luck! PM for nudges

Just rooted this, my favorite so far. Learnt alot, give me a message if you need a hint.

Type your comment> @brueh said:

  • you know the child!
  • you want to fuzz the parent-directory!!!..
    what should the command look like?..
    … /FUZZ/child…

<3

Rooted! Very nice box. the foothold and the not working Gobuster took me some time, but with a response injection i could fix it. The RCE was a nice experience. Decryption was also funny and a nice idea. the root part was the easiest one.

if anyone need a hint, just let me know.

Struggling with finding the right syntax for foothold, any help will be appreciated :slight_smile:

Struggling with the sss.py right after finding the secret directory. I am aware of whats vuln in the script but cant seem to get it going. Can someone dm me to talk about how to get it running properly / character escaping? Thanks.

Finally Rooted.!!

It’s a very good box, Basic scripting and code auditing are required and all the hints are there in the above discussions.

Feel Free to PM anytime!

Owned! Nice box to practice some scripting.
PM for help if needed

so i am getting following while trying get reverse shell, using python script that has url+path , where url=host:proxyport(8x8x), path is payload to get reverseshell

just going by what i read it seems obscurity box is reseting it, has any of you seen this?
error:
requests.exceptions.ConnectionError: (‘Connection aborted.’, RemoteDisconnected(‘Remote end closed connection without response’))

Edit:- never mind guys ran the s*.py locally to test my path, it worked and then tested it via browser, it worked again, got reverseshell, let us see what happens next

Finally rooted

Most of the hints on this forum will eventually get you this box.

feedback
Good points
custom webserver script for foothold was a creative idea, i loved that part. Learned few things on python side.
usage of certain code for root was also a creative idea, but in the end it was easier then user.

Not so good part
Usage of encryption/Decryption could have been better. in Nest vbscode has done some good work in creating that story even that was CTFy but here guess work on permutations and combination to get the key for me was not great experience , made waste a lot of time. in Nest you need to get all the parameters (passphrase, salt etc)right/change for root to decrypt its creds . i loved that part on encryption.

Anyways Mr. creator Good work in putting all this together , Had fun eventually.

Rooted. For me rooting was extremely easy… and I think I rooted it using an “alternative” way.

I believe that the original idea for root was to “watch” for a file and “change” it. How ever I found a much easier way that requires absolutely no effort.

Anybody interested in discussing it?

Been wondering what the 2nd way to root the box is? I rooted it by catching some quick file. Can someone pm me the alternative way?

Hi. I found sss.py file. I read code and i understand RCE. But idk how can i use sss.py. Can you help me?

Type your comment> @piyadist said:

Hi. I found sss.py file. I read code and i understand RCE. But idk how can i use sss.py. Can you help me?

Read the code carefully and see which function/method used that can be exploited. It’s similar to the way you would with SQLi.
Try to run that code on your own system to practice RCE is also a good idea because you can see the result of your progress.

Hi there, i have been through the first phase of finding the .py file also i am able to figure out the code and point of entry to get a reverse shell. So here is a thing i passed the reverse shell in py over to the “function” and run this on burp suite while waiting for the bash. But i do not get any response blank on the response on burp suite. I am stuck basically. Can anyone help in getting the initial foothold. Also i have seen here on the forum most of the people say simulate it locally. I tried running the code it run successfully and existed. Also please guide me here seems like i needed a nudge .