Admirer

Too much lag on the machine. Finally managed to capture the root flag after 2 resets and doing everything fast.

Hints
User: Enumerate directories, ftp etc. Everything is in there. Do not destroy everything in your path and do not use 100 threads for each task. Be gentle with the machine!
You will also need to use your SQL skills for this common vulnerability. First google result describes everything in detail.

Root: Took me some time to understand that python is a good friend for us and bad for naive roots. When you understand how it works you can use it to your advantage to get a shell, extract a shadow file or simply capture the flag and be on your way.

Hope I didn’t spoil. If I did let me know what to remove.

This box was very frustrating for me but I learned some important lessons from it. Let’s hope I don’t forget them. The rabbit-holes reminded me a lot of OSCP boxes. Root was very interesting imho.

General hints: For enumeration-heavy boxes it’s important to try different word lists and be mindful of file extensions. If you discover a new location, enumerate that as well. Take good notes of what you see because it might be important later. If something doesn’t work, try to figure out why and if maybe you need to modify it. Error messages can be very valuable.

Hey y’all,
Looking for a nudge. I’ve fuzzed a bunch and found many interesting things and pulled some files/dirs from the lower port. I then used these for more info and further fuzzing. Stumbled upon the login page that is mentioned by others (a*****r.p**) None of the previously found creds work. I found that this particular version was the last version to allow for a special kind of “p-less” login. Is this a rabbit hole and if not, where should i be looking next?

Longest path to the user I’ve ever done… ?
This box requires a lot of patience, if you are not, leave it.
Almost all hints are given here:
User : Enum - enum - enum,
Root: a little trick and root will give you success.

This box is definitely not an easy one, I would rate it medium as others said.

Type your comment> @abhijasud said:

connection refused mysql dm me need help

make sure the bind-address is correctly configured.

What wordlist should I use? I’m using raft-large with gobuster but nothing close to what I think to see in the forum

can I get a nudge

thanks

Rooted. The foot hold was a lot more difficult than root.
I was stuck what seemed like forever on the login page.

and after 16 hours I managed to get the root, it was not at all easy indeed the opposite, thanks to @EvilT0r13 @olsv @troet For support

??

Thorough enumeration, hunch skill and never give up of trying will make the enumeration part easy. No brute force needed. Technology exploit at login part is so much fun since you can do it from scratch or use ready made.

Root is kinda hard for me since I’m not that familiar with snake lifestyle and king options. Now I learned something new from root. Overall good box!

Type your comment> @Kyoureka said:

snake lifestyle and king options.

LOL. I guess that’s a good way to describe it without giving away too much.

Rooted !

Definitely not an easy one. This should be medium.
Root was very cool !

PM if needed :slight_smile:

Is the machine slow, coz when I get into user and thats it after that it gets stuck

Hey! I have the root flag but I can not get a reverse shell. Anyone can private message me for any hint. Thank you! =)

root@admirer:/tmp#  ifconfig | fgrep 10. | awk '{print $2}'&&whoami
10.10.10.187
root

Finally got the root flag, used a few days to get the foothold, half-day to privesc to root, the foothold really hard compare to the privesc and the user, need tons of enumeration. The root flag is not hard but the box is pretty unstable and lag which is the difficulty instead of the actual privesc I think. However I just get the root flag, I tried to get a reverse shell with either python or bash but none of them works, python one show connection to my host which I receive in nc, however, don’t really have a shell and just stuck there, I think my reverse shell is fine because I tried with the user and it works, anyone has some hints to make the reverse shell work, please?

Very good machine,

So much learning even if this is marked as easy box, shell was a experience in root.

Foothold: You can use your common lists to enumerate the target, this part its a little messy because have a several rabbitt holes, so be creative.

User: at this moment you can find a window, so google fu, to get into it just prepare your server and run.

Root: I never thought that we can do that at that level, this requiere a mod in your way.

I hope this can help and if this is a spoiler please remove, thanks.

Just r00ted. Such a great machine I have gone through.
From my side root was easy to get if you have py***n experience.
But for User flag, u have to hit ur head. It took 3 days for me to have a user flag.
but a few minutes for the root flag.
Enumeration is the key to get the flag.
This was surely not an easy machine, but the way they created the box is ultimate and it gives some fruitful knowledge of some unknown techniques.
the amazing thing is I didn’t know that priv esc is such a kind.
Thanks, @GibParadox, and @polarbearer for this wonderful machine.

Type your comment> @Kaiziron said:

Finally got the root flag, used a few days to get the foothold, half-day to privesc to root, the foothold really hard compare to the privesc and the user, need tons of enumeration. The root flag is not hard but the box is pretty unstable and lag which is the difficulty instead of the actual privesc I think. However I just get the root flag, I tried to get a reverse shell with either python or bash but none of them works, python one show connection to my host which I receive in nc, however, don’t really have a shell and just stuck there, I think my reverse shell is fine because I tried with the user and it works, anyone has some hints to make the reverse shell work, please?

I had the same issue and to speed things up, I simply created a new user with sudo permissions via a simple .sh script and used that user to become root.

Idk why, but cat gives no output whereas nano shows file has content. Does anybody know why this is happening?