Had some trouble with root but in the end made it. Shout out to all the people who helped me, thanks a ton guys , Open for hints
stuck with the upload form, tried different approaches (using just magic, concatenating two files) but canāt get RCE, let alone a reverse shell! a nudge would be appreciated
@federella said:
stuck with the upload form, tried different approaches (using just magic, concatenating two files) but canāt get RCE, let alone a reverse shell! a nudge would be appreciated
You can get a good example of how to bypass this by googling what you are trying to do and going to a gitbook page.
Ideally you want to be uploading an actual valid image.
This was a very fun machine, there are a lot of good hints here. I have a couple more below:
Foothold: OWASP Top 10 and hide something in plain sight
User: If at first you donāt succeed try again with something you already know
Root: You can sometimes trick a system into looking at something it shouldnāt
PM me if you need any hints
Type your comment
Hi all.
Get the user quite easy. there are at least two solutions to get in
lovely box.
But need some hint about root.
As i see gdb is present. is we need to look in this direction?
also, we have one +s file, witch allowed to our grp.
it this ok?
Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.
in my local solytion alredy found, but, as always, not in the server)
Done. Was really struggling with the root part for some hours because I misunderstood how that whole thing worked.
Very nice box!
@swagcat228 said:
Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.in my local solytion alredy found, but, as always, not in the server)
You might be overthinking this. You donāt need to RE anything for this box. Have a look at what its doing and see if you can meddle with it.
#Maybe an issue?
Hi, iām stuck with the upload of imageā¦ i tried all way to upload my rev, but if i upload a clean image too, catch ever and ever the āalertā of png, jpg extension.
Anyone same issue??
Hi All. Working on root. When trying to upgrade the shell, it seems I am now getting an error that wonāt allow /bin/sh commands. Anyone having that problem or know how I might be able to get around? This was not an issue for the last few days.
Root Dance - learned an interesting method regarding the uploading.
Hello,
Could I have an hint on the initial foothold ?
I can upload a file that contains PHP code, but I havenāt found a way to make it end with a executable extension. (Null bytes, double extension, content-type didnāt work).
I havenāt found any PHP file that does inclusion and would allow an RCE by including the image with php code.
I have also tried to include php instructions directly into the page since quotes arenāt filtered in the filename but it didnāt work either.
I am a bit lost about the direction I should take.
Obviously, I find what I am looking just after asking for help ?.
Search for OWASP documentation about file upload. There are some strange configuration about what get to be executed on a server.
stuck on www-root
And root! Great box from start to finish.
Happy to answer messages for hints.
I totally agree, I also enjoyed the box and had fun. Thanks.
Sanity check, someone please? I may be into a rabbit hole trying to rootā¦ DM if possible
Incredibly satisfying box for me. Although the frustration at getting initial foothold was maddening, the moment you realize how to get it, will give satisfaction in awesome waves ;). Root was very routine I think. The user part was really great. Thank you for this box.