Too much lag on the machine. Finally managed to capture the root flag after 2 resets and doing everything fast.
Hints
User: Enumerate directories, ftp etc. Everything is in there. Do not destroy everything in your path and do not use 100 threads for each task. Be gentle with the machine!
You will also need to use your SQL skills for this common vulnerability. First google result describes everything in detail.
Root: Took me some time to understand that python is a good friend for us and bad for naive roots. When you understand how it works you can use it to your advantage to get a shell, extract a shadow file or simply capture the flag and be on your way.
Hope I didn’t spoil. If I did let me know what to remove.
This box was very frustrating for me but I learned some important lessons from it. Let’s hope I don’t forget them. The rabbit-holes reminded me a lot of OSCP boxes. Root was very interesting imho.
General hints: For enumeration-heavy boxes it’s important to try different word lists and be mindful of file extensions. If you discover a new location, enumerate that as well. Take good notes of what you see because it might be important later. If something doesn’t work, try to figure out why and if maybe you need to modify it. Error messages can be very valuable.
Hey y’all,
Looking for a nudge. I’ve fuzzed a bunch and found many interesting things and pulled some files/dirs from the lower port. I then used these for more info and further fuzzing. Stumbled upon the login page that is mentioned by others (a*****r.p**) None of the previously found creds work. I found that this particular version was the last version to allow for a special kind of “p-less” login. Is this a rabbit hole and if not, where should i be looking next?
Longest path to the user I’ve ever done… ?
This box requires a lot of patience, if you are not, leave it.
Almost all hints are given here:
User : Enum - enum - enum,
Root: a little trick and root will give you success.
This box is definitely not an easy one, I would rate it medium as others said.
Thorough enumeration, hunch skill and never give up of trying will make the enumeration part easy. No brute force needed. Technology exploit at login part is so much fun since you can do it from scratch or use ready made.
Root is kinda hard for me since I’m not that familiar with snake lifestyle and king options. Now I learned something new from root. Overall good box!
Finally got the root flag, used a few days to get the foothold, half-day to privesc to root, the foothold really hard compare to the privesc and the user, need tons of enumeration. The root flag is not hard but the box is pretty unstable and lag which is the difficulty instead of the actual privesc I think. However I just get the root flag, I tried to get a reverse shell with either python or bash but none of them works, python one show connection to my host which I receive in nc, however, don’t really have a shell and just stuck there, I think my reverse shell is fine because I tried with the user and it works, anyone has some hints to make the reverse shell work, please?
Just r00ted. Such a great machine I have gone through.
From my side root was easy to get if you have py***n experience.
But for User flag, u have to hit ur head. It took 3 days for me to have a user flag.
but a few minutes for the root flag.
Enumeration is the key to get the flag.
This was surely not an easy machine, but the way they created the box is ultimate and it gives some fruitful knowledge of some unknown techniques.
the amazing thing is I didn’t know that priv esc is such a kind.
Thanks, @GibParadox, and @polarbearer for this wonderful machine.
Finally got the root flag, used a few days to get the foothold, half-day to privesc to root, the foothold really hard compare to the privesc and the user, need tons of enumeration. The root flag is not hard but the box is pretty unstable and lag which is the difficulty instead of the actual privesc I think. However I just get the root flag, I tried to get a reverse shell with either python or bash but none of them works, python one show connection to my host which I receive in nc, however, don’t really have a shell and just stuck there, I think my reverse shell is fine because I tried with the user and it works, anyone has some hints to make the reverse shell work, please?
I had the same issue and to speed things up, I simply created a new user with sudo permissions via a simple .sh script and used that user to become root.