Need some help on building exploit for m****e and dg. I can understand what happens behind the scenes, but I can’t find a way to go further for next step.
Edit 1
Got user. Thanks @d3spis3d for the clean explanations on on those exploit building things.
On to root.
#~
Root owned. It’s a brilliant machine. But was a pain in the a*s for the last 3 days.
Initial foothold and initial shell is really hard as f**k. Root is easy.
For the first time i wrote a py script and it worked like a charm. Feel Proud.
Thanks @xct@jkr for the pain and stuffs to learn.
Wow that box wasn’t easy at all, I learned a lot, it tooks so much time to finish this but I don’t regret it . I had most of the concept but here you need to go deep enough and make no mistake.
Initial foothold: enumerate until you find the page where to travel, try to send your “request” by “another route”
User: When you are able to travel, you are still at the beginning of the road, look for hints and go back, there is not only one way
Root: The user that has access to all the roads can make anyone travel to the root
Really hard box but the best one I did so far. Thank you very much for the box creators.
The initial part is the hardest one.
user: There is very popular tool which will help you with the initial foothold and get back the connection - the travel route and the tool name are very similar.
root: don’t forget to check all files and then you will see your travel path
I found some interesting stuff for the path to root but I’m not sure how It can be leveraged? A possible rabbit hole? Has it even been leveraged in the wild?
finally owned. What a box. Learned a ton of stuff. Couldn’t have done it without some tips.
foothold: find all files you can and figure out an unusual way to communicate. After that you can force the service to open a door for you. Note: pay attention to the bytes!
user: enumeration
root: manipulate the guardian to let you in and give you what you need
Massively challenging box - as everyone else here has said.
Well done to @xct and @jkr for making something which really does push creativity.
I probably spent two weeks trying to get user and the main thing I can suggest is look very carefully at everything you can get your hands on. The bedrock of the attack is a common problem in the language used then after that its about working out a way to exploit something else running.
When it came to root, I think I was given a bit of an easy ride because someone else had left traces of what they did which gave me a massive pointer in the right direction, but general enum will also get you to see the way to get root. Then it is a matter of research.
I really enjoied this box and took me a lot of time
Initial shell was pretty amazing and really hard so my hints
enumerate with clasical tools. Read the website and get one more site. In that site enumerate again and dump everything that you can. When you get all, try to clone and replicate in you localhost. I didn’t need m******d service.
user: clasic enumeration. Try to do it manually cuz some tools will give you too much info. How eve both ways should give all you need
root: This part was hard for me: I didnt have experience in that service in that SO. I had to ready everything. when you get user, just try to do it the same thing and verify what you got, read and get some research if you need as I did
What a journey! But it was definitely worth it! Great job @xct and @jkr!
And thanks to @TheWorld and @Neo2SHYAlien for your nudges.
Some additional hints to what is already found here:
foothold: A single byte can make a huge difference. Don’t be a private member like I did first but a public one.
User: usual enum
Root: After user you’ll pretty instantly find something juicy which is the way forward. Check with google how this thing may relate to linux authentication and how you can leverage that for your success.
As always: PM for hints, this box is a beast