Just rooted the box. It was a brutal journey and i must say i kinda hated it for an easy box.
The initial foothold, the enumeration was fun - piecing together all the clues and avoiding the rabbit holes, but hated the mysql config part and all the issues I ran into. Thanks to @T13nn3s for the comment here and the hint about the char limit.
Running a few scripts showed me what to do for the root part. Even though it is pretty straightforward I struggled to get the reverse shell. There are a few articles that describe this, but everything needs to be tweaked and I definitely learnt something new about sudo here.
I have found both files in a****-**r, but I haven’t found that login page that everyone keeps talking about. I have tried several wordlists with dirbuster and nothing…
There must be something really obvious that I am not seeing… Can someone please give a hint?
I have found both files in a****-**r, but I haven’t found that login page that everyone keeps talking about. I have tried several wordlists with dirbuster and nothing…
There must be something really obvious that I am not seeing… Can someone please give a hint?
Check back on your enumeration again. Consider what you got from both the files and what other services have you found. Work from there and you can figure out indirectly the path to the login page. DM me if you still really can’t find it
Finally rooted and finished this task. This is really an interesting box for easy because it is less about exploits but more about how you enumerate, the attention to details and of course, to break out of your tunnel vision too. A lot of red herrings to mislead you but if you have a proper methodology or you keep really good enumeration notes, this will really help you. Like how this trains us to enumerate more than to exploit.
User: Difficulty of foothold depends on if you know a specific tool related to databases. The machine name is a big hint.
Thanks for this hint @flipflop139874 I never would have gotten the page without this!
This is definitely the most challenging “easy” box I’ve encountered on here, can’t say I agree with calling this an easy box. Nevertheless thanks for making a great box, I definitely learned A LOT…
User was pretty difficult for me… just enumerate and enumerate… to get on the box, I had to learn a new technique which was pretty cool actually
Plenty of tips on here, but when you figure out what you need to do for root, remember to try all different payloads… some won’t work, some will but not correctly, but eventually you’ll get the right one as long as you try all of them
Foothold: This is not like other easy boxes. You have to stop and think a little about each breadcrumb that is given to you, not a whole lot but just a little. My advice is to do what you normally do and INCREMENT LOGICALLY to the next step(s). If I tell anymore I will spoil it.
User: Once you find it then it is just google fu. Again don’t be like me and waste time by underestimating the difficulty of this box, it really is that complex but still pretty simple.
Root: OK so now you are finally on the box, if this is your first linux box checkout gtfo bins. Else, just do what you would normally do and you should eventually find the combination of steps. Also think about directories that admins always have access to when you realize what must be done. I really hope this is not a spoiler.
PM later on this morning if you have any questions. This was definitely not an easy box. A good box, but certainly not easy. I am going to sleep now lol.
FOOTHOLD: dirsearch (-l -f -w), connect to the right port, enum and dirsearch again (search the login page…)
USER: CVE, a rogue server could help you…with the right “filelist” path…and check the log file…
ROOT: spy processes and tasks, and find the right “path”… to the right script…
Tried to hydra the login page, but it seems cannot identify the access denied text, so it return all false-positive.
Is hydra do not work with this page?