Admirer

Could use a nudge. Found login, creds don’t work. Used technique to grab files, with success but useless files. Am I on the right track? A little too vague? Don’t want to spoil.

@BINtendo said:

Could use a nudge. Found login, creds don’t work. Used technique to grab files, with success but useless files. Am I on the right track? A little too vague? Don’t want to spoil.

If you are looking at the right login place, look for a way you dont need credentials.

Rooted! Foothold really made me take a step back and analyze everything. Love the fact that not all creds thrown at you are useful, it feels very realistic. I personally loved this box from start to finish.

Foothold

This is where you need to step up your enumeration. Use different tools, fuzzing and manual enum if needed to find directories you’re not supposed to be in. As someone earlier mentioned, the fact that one thing gives you a 403 doesn’t mean its completely forbidden.

User

Piece everything together. The website’s admin hints to using a ‘better open source alternative’ in some files, what could this mean?

Root

New privilege escalation method. No enum needed in my case. This path will become obvious from the start if you read everything carefully.

Always happy to assist so PM me with details on where you’re currently at and I’ll try to nudge you in the right direction.

Type your comment> @TazWake said:

@6uta said:

Am I in the wrong path again?

I dont think so. Double check your realisation.

Thank you, just rooted.
But I didn’t found the snake will go to where I interested.
So I tell the snake where it should go.

Rooted.

Actually didn’t have much of an issue with user (except for dirbuster not working for some reason?).

Root involves a technique with a…twist that I have never seen before. I had no idea it was possible.

Cool box! Thanks!

Type your comment> @TazWake said:

@BINtendo said:

(Quote)
If you are looking at the right login place, look for a way you dont need credentials.

Ok so i’m pretty sure i’m on the right track. like i said, i can successfully grab files. but the useful files i want are restricted. i can’t think of anything close by that would help. i’m up and down the github for this service, looking at my own setup for ideas…could use a push in the right direction. thanks

Type your comment> @in3vitab13 said:

Type your comment> @khalid7 said:

I have this error MySQL server has gone away can any one tell me what to do ?

Edit: Solved

getting the same error how did you solve it/? bro

google is the best answer
the solution depend on you

Rooted. Foothold was a pain but really, as people say: “don’t overthink it”. You found a file, think about the instructions and take them literally. There are many clues that hint to the next step at each point, read the files and think about them.

Really liked it in the end. Root was fun.

Rooted.

Thanks @polarbearer and @GibParadox for nice box.
I think the initial foothold was bit too long for me, as I did not scan properly with all required file extensions.
But once you find the initial foothold file with the information, it’s get easier.

User is easy once you get the hint from box name. Root pretty easy.

Great box! I have learned new things in the root part. Thanks @disastrpc for the hints, and Congrants @GibParadox and @polarbearer

Rooted this box a few days ago, but didn’t get around to posting about it yet. Really liked this one, thanks @polarbearer and @GibParadox. There are quite a few rabbit holes on thix box, but to me they always felt natural, not like on other boxes. It felt a bit like this box is a machine that’s actually being used by someone and that wasn’t completely deliberately set up to be hacked :slight_smile:

There are many very good hints in this thread here. I don’t really know what to add, but here’s a try:

Foothold: Enumeration really is key. If you always use the same wordlist and don’t find anything, use other wordlists as well. Also take note of everything you find, because even if you can’t directly use it, you might be able to use it later.

User: To own the user, you’ll have to perform quite an interesting exploit. Once you found the right page, some googling will easily give you the correct info. The exploit needs some setup, but isn’t all too complicated in the end.

Root: Another nice exploit that you need to use here. There’s something there that you can control, although it might not seem like it at first. You might be looking for user input to exploit and the way to exploit is quite similiar to that, but it’s aimed at something you might not consider to be “user input”. However, take a close look at the user privileges you have.

I’m having a lot of fun with this box, and learning a lot but I’m stuck on mysql. I’ve spent more time trying to get that to work on my machine than the actual enumeration and exploit discovery. If anyone can point me in the right direction that would be great because so far none of the “simple fixes” on google are working out.

This has been the worst and the best machine for me. WHY? Because its my first box. LOL. Its been a frustrating journey but i feel so happy now. Its been 6 days working on this box (foothold and user - 4 days, root - 2 days). i learned a lot. In the forum you get many clues, but if you are a newbie like me, you dont understand them, but later after clearing each stage you understand. I need to thank @L0J0 and @TazWake for your help. Thanks guys.

Foothold: run different wordlists when you bust those directories. Then you get some creds and then run enum more.

User: Google the box name and you find something similar and then read multiple exploits. This step is most difficult step in this box.

Root: look for user privileges and what can be done with the result.

Finally I can also say ROOTED!!! :slight_smile: PM me if you need any help.

“DONT GIVE UP”

Stuck with user, I’ve google and read up on the exploit and found a rogue git but stuck on how to use it. MySQL isn’t one of my strong points. Any hints please PM, thanks.

Rooted. It was truly a love/hate relation. I’ve spent lots of time in rabbitholes, but in the end it was really woth it. Root part is quite straightforward, but fun. User part needs a lot of patience, but remember to look for bad practices while enumerating.

Spoiler Removed

@thescriptkiddy said:

Spoiler Removed

I suspect that is a rabbit hole.

@TazWake said:

@thescriptkiddy said:

Spoiler Removed

I suspect that is a rabbit hole.

then what should be the next step

@thescriptkiddy said:

@TazWake said:

@thescriptkiddy said:

Spoiler Removed

I suspect that is a rabbit hole.

then what should be the next step

Look around more.

Solved this challenge today

Lots of hints already on this discussion. I will reiterate some.

  • Start by looking for things that normally a web application owners want to hide from you.
  • To get foothold use FUZZing. There is no alternate. You may need to use wordlists that contain words commonly used in PHP applications. Search github for those.
  • Getting user is little harder but search engine/s are your friend. This technique is a new learning for me.
  • Root access is medium level. Don’t overthink. Stick to basics.

Will be happy to give nudge for those you want.

Thanks @polarbearer and @GibParadox


root@admirer:# hostname
hostname
admirer
root@admirer:# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.187 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:4771 prefixlen 64 scopeid 0x20
inet6 dead:beef::250:56ff:feb9:4771 prefixlen 64 scopeid 0x0
ether 00:50:56:b9:47:71 txqueuelen 1000 (Ethernet)
RX packets 13034433 bytes 2068617655 (1.9 GiB)
RX errors 9241 dropped 7918 overruns 0 frame 0
TX packets 11280599 bytes 3455117373 (3.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 31892 bytes 3147119 (3.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31892 bytes 3147119 (3.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@admirer:# id
id
uid=0(root) gid=0(root) groups=0(root)