Admirer

Just rooted

Thanks to @ixxelles and @apalooza for the nudges, helped get past the wall I was hitting.

Overall pretty dope box. The initial foothold definitely seemed the hardest. Root was super cool and definitely taught me something new.

PM me for help

Rooted. If anyone needs help. feel free to DM.

Just rooted the box. It was a brutal journey and i must say i kinda hated it for an easy box.

The initial foothold, the enumeration was fun - piecing together all the clues and avoiding the rabbit holes, but hated the mysql config part and all the issues I ran into. Thanks to @T13nn3s for the comment here and the hint about the char limit.

Running a few scripts showed me what to do for the root part. Even though it is pretty straightforward I struggled to get the reverse shell. There are a few articles that describe this, but everything needs to be tweaked and I definitely learnt something new about sudo here.

Can I pm someone to talk about getting user? I am kind of stuck on command target?

I have found both files in a****-**r, but I haven’t found that login page that everyone keeps talking about. I have tried several wordlists with dirbuster and nothing…
There must be something really obvious that I am not seeing… Can someone please give a hint?

Type your comment> @Dr0g0n said:

I have found both files in a****-**r, but I haven’t found that login page that everyone keeps talking about. I have tried several wordlists with dirbuster and nothing…
There must be something really obvious that I am not seeing… Can someone please give a hint?

Check back on your enumeration again. Consider what you got from both the files and what other services have you found. Work from there and you can figure out indirectly the path to the login page. DM me if you still really can’t find it

Spoiler Removed

Finally rooted and finished this task. This is really an interesting box for easy because it is less about exploits but more about how you enumerate, the attention to details and of course, to break out of your tunnel vision too. A lot of red herrings to mislead you but if you have a proper methodology or you keep really good enumeration notes, this will really help you. Like how this trains us to enumerate more than to exploit.

Thank you @polarbearer and @GibParadox for making this.

Awesome box,

Thank you @polarbearer & @GibParadox for creating this fun experience.
Really enjoyed the foothold.
Root was a journey too

Cheers @polarbearer & @GibParadox. A tricky box, learnt a lot. That initial Enum was tough (for a newb like me)!

Also cheers to @L0J0 for the nudge towards the initial login page.

My priv to root didn’t have anything to do with b*****.py so I’m curious to know how that worked if anyone is keen to DM me and swap approaches?

Rooted !
DM if you stuck

Looking for a nudge on user. Found couple of weird dirs and file, but stuck with next step.

@flipflop139874 said:

User: Difficulty of foothold depends on if you know a specific tool related to databases. The machine name is a big hint.
Thanks for this hint @flipflop139874 I never would have gotten the page without this!

This is definitely the most challenging “easy” box I’ve encountered on here, can’t say I agree with calling this an easy box. Nevertheless thanks for making a great box, I definitely learned A LOT…

User was pretty difficult for me… just enumerate and enumerate… to get on the box, I had to learn a new technique which was pretty cool actually

Plenty of tips on here, but when you figure out what you need to do for root, remember to try all different payloads… some won’t work, some will but not correctly, but eventually you’ll get the right one as long as you try all of them

Just got user. I have to say that was not “easy” by any means. Moving on to root now PM if you need help.

I have this error MySQL server has gone away can any one tell me what to do ?

Edit: Solved

Finally rooted this thing. My tips:

Foothold: This is not like other easy boxes. You have to stop and think a little about each breadcrumb that is given to you, not a whole lot but just a little. My advice is to do what you normally do and INCREMENT LOGICALLY to the next step(s). If I tell anymore I will spoil it.

User: Once you find it then it is just google fu. Again don’t be like me and waste time by underestimating the difficulty of this box, it really is that complex but still pretty simple.

Root: OK so now you are finally on the box, if this is your first linux box checkout gtfo bins. Else, just do what you would normally do and you should eventually find the combination of steps. Also think about directories that admins always have access to when you realize what must be done. I really hope this is not a spoiler.

PM later on this morning if you have any questions. This was definitely not an easy box. A good box, but certainly not easy. I am going to sleep now lol.

Type your comment> @khalid7 said:

I have this error MySQL server has gone away can any one tell me what to do ?

Pm me

I like this box! Enumeration part was really funny :slight_smile: And I learned a lot of things.

Thanks to @polarbearer & @GibParadox

FOOTHOLD: dirsearch (-l -f -w), connect to the right port, enum and dirsearch again (search the login page…)
USER: CVE, a rogue server could help you…with the right “filelist” path…and check the log file…
ROOT: spy processes and tasks, and find the right “path”… to the right script…

Tried to hydra the login page, but it seems cannot identify the access denied text, so it return all false-positive.
Is hydra do not work with this page?