Magic

Rooted! Good box, learned something when getting first shell. I’m dropping some hints:

  • foothold: pretty standard, almost too easy to bypass… Enter and figure out how to make your way to the system. Images can contain a lot of data… Newlines aren’t your friends.

  • user: enum, then enum and finally enum! Don’t surrender when you find something, just try other tools.

  • root: both a pre-made tool and a manual check should do the trick. Focus on what stands out as non-standard ;).

I hope that I didn’t spoiler anything! Enjoy

Finally rooted:) needed quite a few Nudges for root. It is super simple but if you have never seen the trick its hard to guess.

As always pm for nudges :slight_smile:

Fun box. Didn’t take too long once I got down to it. I would be curious if someone wants to PM me on upload file bypass because I don’t get why what I did worked, but it did.

Otherwise, 100% fun box. All the hints are already in the thread, but just keep it simple. I like the path to root because it shows something interesting about special files. PM me for hints if you want.

i found a password in php database but when i try to login with su - t****** it sais authentication failure, any help?

Finally Rooted.
This box is very much unique. I struggled for both User and Root but the knowledge I got was huge. Thanks to @FunkyMcBeef for helping/guiding me throughout the process of root

Initial foothold:
1.You know how to bypass login using basic things. (really a child’s play)
2. You have to upload something to get the shell
3. Trick is not everything works. For me all the basic methods failed. But then I watched one youtube video and learned a new method to craft payload. Cat has some powerful magic I would say.

User:

  1. Once you get shell, you know where to look first.
  2. Extract something but you don’t have access to the tools.
  3. But there are other ways to do it. (really its in front of you)

Root:
OK this is not easy

  1. linpeas will really give you something (please read it line by line. I didn’t and that’s why I struggled)
  2. check what really happens in the background
  3. exploit it

I am very much descriptive here, hope haven’t spoiled anything

@666snippet said:

i found a password in php database but when i try to login with su - t****** it sais authentication failure, any help?

You need to use the password for something else, maybe use it to dump what you want out of something.

got USER :smile:
Now onto root…
Pure fun so far, thx for @TRX

Finally!!

root@ubuntu:/root# hostname;id
ubuntu
uid=0(root) gid=0(root) groups=0(root)

Root was basic, but very interesting to find it.
No hints from me. I’m pretty sure that here is enough hints.

I am stuck at root. Been looking at a script that will clean stuff up and see some interesting “Search and destroy” instructions. However I have no idea how to inject my own code in there.
Not sure if it is even the right path.

I need a little nudge for root, I think I found the binary but I dont know what to do with it now

finally rooted :smiley:

Very interesting box, sure learned alot from it…
Kudos to box owner.

just trying to get user, i think im gonna found it

I’m stuck with root, found something but doesn’t look right, could I have a little help? DM

help with root please DM

Had some trouble with root but in the end made it. Shout out to all the people who helped me, thanks a ton guys :slight_smile: , Open for hints :slight_smile:

stuck with the upload form, tried different approaches (using just magic, concatenating two files) but can’t get RCE, let alone a reverse shell! a nudge would be appreciated :frowning:

@federella said:

stuck with the upload form, tried different approaches (using just magic, concatenating two files) but can’t get RCE, let alone a reverse shell! a nudge would be appreciated :frowning:

You can get a good example of how to bypass this by googling what you are trying to do and going to a gitbook page.

Ideally you want to be uploading an actual valid image.

This was a very fun machine, there are a lot of good hints here. I have a couple more below:

Foothold: OWASP Top 10 and hide something in plain sight

User: If at first you don’t succeed try again with something you already know

Root: You can sometimes trick a system into looking at something it shouldn’t

PM me if you need any hints

Type your comment

Hi all.

Get the user quite easy. there are at least two solutions to get in :slight_smile:
lovely box.

But need some hint about root.

As i see gdb is present. is we need to look in this direction?

also, we have one +s file, witch allowed to our grp.

it this ok?