Obscurity

Finally Rooted.!!

It’s a very good box, Basic scripting and code auditing are required and all the hints are there in the above discussions.

Feel Free to PM anytime!

Owned! Nice box to practice some scripting.
PM for help if needed

so i am getting following while trying get reverse shell, using python script that has url+path , where url=host:proxyport(8x8x), path is payload to get reverseshell

just going by what i read it seems obscurity box is reseting it, has any of you seen this?
error:
requests.exceptions.ConnectionError: (‘Connection aborted.’, RemoteDisconnected(‘Remote end closed connection without response’))

Edit:- never mind guys ran the s*.py locally to test my path, it worked and then tested it via browser, it worked again, got reverseshell, let us see what happens next

Finally rooted

Most of the hints on this forum will eventually get you this box.

feedback
Good points
custom webserver script for foothold was a creative idea, i loved that part. Learned few things on python side.
usage of certain code for root was also a creative idea, but in the end it was easier then user.

Not so good part
Usage of encryption/Decryption could have been better. in Nest vbscode has done some good work in creating that story even that was CTFy but here guess work on permutations and combination to get the key for me was not great experience , made waste a lot of time. in Nest you need to get all the parameters (passphrase, salt etc)right/change for root to decrypt its creds . i loved that part on encryption.

Anyways Mr. creator Good work in putting all this together , Had fun eventually.

Rooted. For me rooting was extremely easy… and I think I rooted it using an “alternative” way.

I believe that the original idea for root was to “watch” for a file and “change” it. How ever I found a much easier way that requires absolutely no effort.

Anybody interested in discussing it?

Been wondering what the 2nd way to root the box is? I rooted it by catching some quick file. Can someone pm me the alternative way?

Hi. I found sss.py file. I read code and i understand RCE. But idk how can i use sss.py. Can you help me?

Type your comment> @piyadist said:

Hi. I found sss.py file. I read code and i understand RCE. But idk how can i use sss.py. Can you help me?

Read the code carefully and see which function/method used that can be exploited. It’s similar to the way you would with SQLi.
Try to run that code on your own system to practice RCE is also a good idea because you can see the result of your progress.

Hi there, i have been through the first phase of finding the .py file also i am able to figure out the code and point of entry to get a reverse shell. So here is a thing i passed the reverse shell in py over to the “function” and run this on burp suite while waiting for the bash. But i do not get any response blank on the response on burp suite. I am stuck basically. Can anyone help in getting the initial foothold. Also i have seen here on the forum most of the people say simulate it locally. I tried running the code it run successfully and existed. Also please guide me here seems like i needed a nudge .

So this code’s purpose is to run that service you are trying to exploit. You need to write some extra code to make it actually do it job. Think of that downloaded code as a module instead of an executable script.
If you do it properly, your system will be serving the exact same service that the box is running. Then you can practice you RCE with the visibility. If a payload can get a shell from your own system, it can give you a shell on the target’s.

Did someone change the key for the SSC because I reverse the algorithm but the a***** key I get does not seem to work.

I have SSS.py and i think that there is a RCE in the exec(). Do you have any tips to exploit it ?

Type your comment> @avonsec said:

Type your comment> @piyadist said:

Hi. I found sss.py file. I read code and i understand RCE. But idk how can i use sss.py. Can you help me?

Read the code carefully and see which function/method used that can be exploited. It’s similar to the way you would with SQLi.
Try to run that code on your own system to practice RCE is also a good idea because you can see the result of your progress.

Thnx. I found trick. But i used nc and msp* for reverse shell, not worked. which payload can i use?

@Isaac8 said:
Did someone change the key for the SSC because I reverse the algorithm but the a***** key I get does not seem to work.

It might be the case, but you can always reset the box.

@scolethal said:
I have SSS.py and i think that there is a RCE in the exec(). Do you have any tips to exploit it ?

I recommend running the SSS code locally to test> @piyadist said:

Type your comment> @avonsec said:

Type your comment> @piyadist said:

Hi. I found sss.py file. I read code and i understand RCE. But idk how can i use sss.py. Can you help me?

Read the code carefully and see which function/method used that can be exploited. It’s similar to the way you would with SQLi.
Try to run that code on your own system to practice RCE is also a good idea because you can see the result of your progress.

Thnx. I found trick. But i used nc and msp* for reverse shell, not worked. which payload can i use?

Make sure you can RCE before think of getting shell, and again the easiest way to see whether you can RCE is to see it run locally.

Type your comment> @avonsec said:

@Isaac8 said:
Did someone change the key for the SSC because I reverse the algorithm but the a***** key I get does not seem to work.

It might be the case, but you can always reset the box.

@scolethal said:
I have SSS.py and i think that there is a RCE in the exec(). Do you have any tips to exploit it ?

I recommend running the SSS code locally to test> @piyadist said:

Type your comment> @avonsec said:

Type your comment> @piyadist said:

Hi. I found sss.py file. I read code and i understand RCE. But idk how can i use sss.py. Can you help me?

Read the code carefully and see which function/method used that can be exploited. It’s similar to the way you would with SQLi.
Try to run that code on your own system to practice RCE is also a good idea because you can see the result of your progress.

Thnx. I found trick. But i used nc and msp* for reverse shell, not worked. which payload can i use?

Make sure you can RCE before think of getting shell, and again the easiest way to see whether you can RCE is to see it run locally.

Thnx. I was embarrassed. it was very easy. i did :slight_smile:

Rooted.

Thnx @avonsec and @mty0x . It seemed difficult initially because I did not know the python language very well. However, I realized later that it was very easy.

User: Read sss.py and find vulnerability. Then find and read the other files. Understand the logic. if 5+key=10, 10-5=key

Root: Very easy. You will use a known technique. Read the relevant file and understand how it works.

PM me for hint

Type your comment> @fbertone said:

Hi all,
I’m stuck at the last step of user…
I decrypted (apparently) both o??.txt (a************) and p***************.txt (ST*)
but I’m not able to connect via ssh using either keys or variations of the second one.

Is ssh acrive for user r***** or should I try to reverse-shell?
Or I have to try more variations of the key?

Thanks

would you be kind enough to tell me how these two files are decrypted?

rooted!

Nice box, I liked the thought process that was required to get user. Root was crazy easy, though!

After putting this box off for a long while because I am absolutely trash at anything programming related, I took the plunge yesterday to get back into it. Finally rooted it today, root was really cool. The biggest issue for me with user was trying to get the local server instantiated in the first place.

Also, if you’re having problems with the bad characters for a key, try base64ing before transferring it to your attacking machine, and then reading directly from a file. Copy and pasting screwed me for a few hours.

Honestly @clubby789, that box really did teach me loads, and it was absolutely awesome the whole way through. Thank you!

__