Travel

Need some help on building exploit for m****e and dg. I can understand what happens behind the scenes, but I can’t find a way to go further for next step.

Edit 1
Got user. Thanks @d3spis3d for the clean explanations on on those exploit building things.
On to root.

#~
Root owned. It’s a brilliant machine. But was a pain in the a*s for the last 3 days.
Initial foothold and initial shell is really hard as f**k. Root is easy.
For the first time i wrote a py script and it worked like a charm. Feel Proud.
Thanks @xct @jkr for the pain and stuffs to learn.

PM for cryptic nudges.

Type your comment> @0xstain said:

Hey, i can overwrited me*****he but i have no idea what to overwrite, can someone tell me in pm what must i overwrite,please ?

You don’t have to overwrite anything. Just because something exists, doesn’t mean a second can’t exist aswell.

Finally - with (very patient) help from @0x41 and @d3spis3d

I made things harder than they needed to be but also learned something new in the root privesc part.

Happy to help others via dm

root@travel:~# ip addr | grep 10.10.10.189 | awk ‘{print $2}’ && whoami && id
10.10.10.189/24
root
uid=0(root) gid=0(root) groups=0(root)

Box made me wanna commit but we got there in the end. Thanks for the fun. Inbox is open, as always :slight_smile:

finally rooted after quite a long journey and lots of breaks! Hardest one ive done so far, learned many new things on this one. Awesome box

Found the B**g and stuck for a while now, any hints are appreciated

Finally got root on this after almost a week and some hints/nudges. Great box for sure!

@n0br3 DM me what you have so far and I’ll try to help out a bit

Wow that box wasn’t easy at all, I learned a lot, it tooks so much time to finish this but I don’t regret it . I had most of the concept but here you need to go deep enough and make no mistake.
Initial foothold: enumerate until you find the page where to travel, try to send your “request” by “another route”
User: When you are able to travel, you are still at the beginning of the road, look for hints and go back, there is not only one way
Root: The user that has access to all the roads can make anyone travel to the root

Can someone PM me for a sanity check on the initial foothold? Thank you

Really hard box but the best one I did so far. Thank you very much for the box creators.
The initial part is the hardest one.
user: There is very popular tool which will help you with the initial foothold and get back the connection - the travel route and the tool name are very similar.
root: don’t forget to check all files and then you will see your travel path

I found some interesting stuff for the path to root but I’m not sure how It can be leveraged? A possible rabbit hole? Has it even been leveraged in the wild?

finally owned. What a box. Learned a ton of stuff. Couldn’t have done it without some tips.

foothold: find all files you can and figure out an unusual way to communicate. After that you can force the service to open a door for you. Note: pay attention to the bytes!

user: enumeration

root: manipulate the guardian to let you in and give you what you need

paying it back – ping me for tips if needed

Massively challenging box - as everyone else here has said.

Well done to @xct and @jkr for making something which really does push creativity.

I probably spent two weeks trying to get user and the main thing I can suggest is look very carefully at everything you can get your hands on. The bedrock of the attack is a common problem in the language used then after that its about working out a way to exploit something else running.

When it came to root, I think I was given a bit of an easy ride because someone else had left traces of what they did which gave me a massive pointer in the right direction, but general enum will also get you to see the way to get root. Then it is a matter of research.

Fucking amazing box!!!

I really enjoied this box and took me a lot of time

Initial shell was pretty amazing and really hard so my hints

  1. enumerate with clasical tools. Read the website and get one more site. In that site enumerate again and dump everything that you can. When you get all, try to clone and replicate in you localhost. I didn’t need m******d service.

user: clasic enumeration. Try to do it manually cuz some tools will give you too much info. How eve both ways should give all you need

root: This part was hard for me: I didnt have experience in that service in that SO. I had to ready everything. when you get user, just try to do it the same thing and verify what you got, read and get some research if you need as I did

Again, amazing box thx for this

I’m stuck on problem any one can help me plz PM :neutral: )

Finally got root ,
this box is very very good and realistic .
Thanks for the Authors :slight_smile:

What a journey! But it was definitely worth it! Great job @xct and @jkr!
And thanks to @TheWorld and @Neo2SHYAlien for your nudges.
Some additional hints to what is already found here:
foothold: A single byte can make a huge difference. Don’t be a private member like I did first but a public one.
User: usual enum
Root: After user you’ll pretty instantly find something juicy which is the way forward. Check with google how this thing may relate to linux authentication and how you can leverage that for your success.
As always: PM for hints, this box is a beast :wink:

Is there anyone else here, who spent days just trying to find something? I’ve used multiple directory scanning tools, that come up with nothing.