Admirer

Rooted. Recap on my python fundamentals! Big thank you to the box creators!

Rooted :mrgreen:

This box is a good reminder to think about what you’re actually trying to enumerate and select your resources accordingly instead of using the same old lists.

The exploit was an intersting one and the priv esc to root was fairly obvious but something i hadn’t had to use prior to this machine.

All in all a great box, thanks @polarbearer and @GibParadox!

This one is beating me, i’m stuck and a bit frustrated, i think i missed something in the way, but i cant even figure what is It. It someone can throw some light to my darkness, just to see the path and continue…

Everything began fine, the initial enum was slow but nice, everything flowed and with any piece of info i found, after analyzing and checking it, i had a mental image of the next step or what to do to keep moving forward… But suddenly, when some good stuff and interesting vector popped out… just when i had the feeling that i got the main thing… the get blocked, stucked without any clue, or what/where i need to look for next step.

Summarizing what i found:

  • With many other creds i found a working user/pass, that give me db schema and data, and a compressed backup of web files. The service config seems that allow me to enumerate valid users even wihout a password, but i couldn’t find any other account.
  • I was able to relate some of this files with the ones served in 80, but also i noticed there are not exactly the same, some files dissapeared, others are just different, even i found a file that looks like the main web content but definitely no t the same, because the downloaded one has a typo that will throw a syntax error.
  • I played with the files i found, the purple info page, the test script, the script that trigger common task executing a shellscript file. Nothing useful found.
  • Some of the dissapeared files give me the idea of what i need to search for, in the content talk about a to-do and search an opensource alternative. When i noticed that, quickly found the alternative opensource tool.
  • The hipotetical creds needed to use the tool doesn’t worked as expected (previous typo error) and after some research i found the vuln, that worked fine, but i can’t get any useful info that makes me advance or even a clue of next step…

I understand the vuln, i can make It work with a fake Server and with a legit one installed for this purpose. I even analyzed the protocol packets with wshark trying to find some leak that didn’t showed in the “normal” output.
I can access any file within basedir, but with the known files and paths i only get the correct credentials to use with the tool, that only allows me to read a bunch of items.
If i try to read any file out the basedir, not allowed. Not found any way to bypass this limitation.
I tried to think in possible content, filenames, made a wordlist permuting possible files, and variations (backup, temp, old files…): http server files, config files, version control files, system files, guessed some possible files… without any single hit.

And now, i’m blocked, no idea what to do, what to search for or even any hypothetical way to advance toward user flag… i’m sure i am missing something, but i can guess where, when or why…

Any clue or suggestion of what to do or what to try? I’m very frustrated, and the feeling that i’m close or the missing piece it’s some crystal-clear-stupid-small-obvious thing… it’s killing me.

thanks

Type your comment> @rulzgz said:

This one is beating me, i’m stuck and a bit frustrated, i think i missed something in the way, but i cant even figure what is It. It someone can throw some light to my darkness, just to see the path and continue…

Everything began fine, the initial enum was slow but nice, everything flowed and with any piece of info i found, after analyzing and checking it, i had a mental image of the next step or what to do to keep moving forward… But suddenly, when some good stuff and interesting vector popped out… just when i had the feeling that i got the main thing… the get blocked, stucked without any clue, or what/where i need to look for next step.

Summarizing what i found:

  • With many other creds i found a working user/pass, that give me db schema and data, and a compressed backup of web files. The service config seems that allow me to enumerate valid users even wihout a password, but i couldn’t find any other account.
  • I was able to relate some of this files with the ones served in 80, but also i noticed there are not exactly the same, some files dissapeared, others are just different, even i found a file that looks like the main web content but definitely no t the same, because the downloaded one has a typo that will throw a syntax error.
  • I played with the files i found, the purple info page, the test script, the script that trigger common task executing a shellscript file. Nothing useful found.
  • Some of the dissapeared files give me the idea of what i need to search for, in the content talk about a to-do and search an opensource alternative. When i noticed that, quickly found the alternative opensource tool.
  • The hipotetical creds needed to use the tool doesn’t worked as expected (previous typo error) and after some research i found the vuln, that worked fine, but i can’t get any useful info that makes me advance or even a clue of next step…

I understand the vuln, i can make It work with a fake Server and with a legit one installed for this purpose. I even analyzed the protocol packets with wshark trying to find some leak that didn’t showed in the “normal” output.
I can access any file within basedir, but with the known files and paths i only get the correct credentials to use with the tool, that only allows me to read a bunch of items.
If i try to read any file out the basedir, not allowed. Not found any way to bypass this limitation.
I tried to think in possible content, filenames, made a wordlist permuting possible files, and variations (backup, temp, old files…): http server files, config files, version control files, system files, guessed some possible files… without any single hit.

And now, i’m blocked, no idea what to do, what to search for or even any hypothetical way to advance toward user flag… i’m sure i am missing something, but i can guess where, when or why…

Any clue or suggestion of what to do or what to try? I’m very frustrated, and the feeling that i’m close or the missing piece it’s some crystal-clear-stupid-small-obvious thing… it’s killing me.

thanks

Hey @rulzgz , in that “compressed backup of web files” there is a “main” file that you need to look into; it is evidently outdated, but now you have a way to get the latest …/bye!

@D4yz said:

Hey @rulzgz , in that “compressed backup of web files” there is a “main” file that you need to look into; it is evidently outdated, but now you have a way to get the latest …/bye!

Ohhhh ■■■■!! I got it!!

I’m feeling sooooo stupid and embarrased… i found these ■■■■ creds with the first file read… my mistake: assuming the correct password was only for ONLY ONE service.

I checked it, worked fine connecting to db but i didn’t see anything useful there and quickly discard it as a dead end like many others in this box… without trying the user/pass with other services exposed in the box.

Thanks @D4yz for your answer, when i read it and it doesn’t point to other path, i instantly know i already have what i need to continue…

Rooted!! If you need help, can ask me.

Just got root! If you need help, feel free to DM me.

rooted…
initial foothold was bit rough because someone removed the u******_*****s dir, so I was in a rabbit hole for a large time even my intuitions where right…

foothold : enum,enum,enum… look for something that u shouldn’t see, even something is not accessible doesn’t means that we can’t enumerate it… you will be able to see what you shouldn’t see with dirbuster and a decently large word-list… use what you got…
with a little bit of inspection and logical thinking after that you will be able to reach the login page… trust your intuitions… :smiley:

user : from there on wards google is your friend… exploit it and get what you want… just think about what you saw and where you saw it in the previous enums and inspections…
if you get something spicy don’t forget that a key can open more than one doors :wink:

root: inspect thoroughly and remember what you saw earlier… try to locate the king and how the snake is related… sometimes snakes can be poisonous too… :wink:
control the snake by providing what it wants and then you control the king…
Nb: always remember that snakes survive only in good environment :wink:

Hope that I am not spoiling the box

thanks @TazWake for the nudge in setting up the atmosphere :love:

advice to the newbies who don’t know fuzzing : watch that tutorial : Bug Bounty Hunting - Wfuzz - Web Content Discovery & Form Manipulation - YouTube

If you have user and are at a loss as to where to go next, look at your enumeration notes. There should be something in them that is very important for this stage. All in all a great box. thanks to @Str4thus and @human for the help. I’m happy to give nudges. Just tell me what you have done so far.

Loved the box, all from the beginning to the end. Although I wouldn’t mark it as easy, medium at least. Feel free to DM me for hints (fjank at discord)

root@admirer:~# ifconfig | fgrep 10. | awk '{print $2}' && id
10.10.10.187
uid=0(root) gid=0(root) groups=0(root)

Oh boy what a journey this was. Kudos to @polarbearer and @GibParadox for a fun box.

First box I solve without hints, except what’s written on the forums. I’ll also leave some hints, in case others might need it:

Basic foothold:

  • Stick to the basics
  • Be persistent, run the same command over and over, with slight variations.
  • If you can’t access it, doesn’t mean you can’t access it.

User:

  • Use all your google skills here.

Root:

  • Read everything
  • Might seem obvious, but turns out different users might see different things when looking in the same spot.

Feel free to DM me for a nudge, just explain what you’ve done and I’ll point you in the right direction.

Got root !!
Thanks to @ixxelles @roumy @Str4thus for giving my nudge !
If you need a nudge feel free to to DM me :slight_smile: Just provide me concise step on what you have done !

Rooted!

Like most people have already said, this box is full of rabbit holes and requires a solid methodology to own. It can be difficult figuring out which rabbit holes to avoid, but if you keep focus on your primary objective (i.e. get more access) you should be fine.

For those struggling, here are some hints:

Foothold: A basic nmap scan should point you in the right direction. From there, you will need to use your intuition to figure out where to look. You may also get lucky with the right wordlist!

User: This was the trickiest part of the box. Remember where you previously searched and remember that actual deployments can differ from backups. From there, you should be able to google your way in.

Root: Search for the obvious things that look suspicious. Once you have found the suspicious thing, investigate it deeper. You will need to find a way to become the king/queen of snakes so they can follow your lead.

I’m happy to accept PMs for those of you who have tried hard and hit a hard roadblock! :slight_smile:

Cannot for the life of me find this login page everyone is speaking of - I’m 99% sure I know what is being referred to, but I cannot find it. Any help at all would be so appreciated.

EDIT: Found it, moving onto trying to login - why aren’t the creds working :frowning:

@coopertim13 > @coopertim13 said:

EDIT: Found it, moving onto trying to login - why aren’t the creds working :frowning:

You can try exploiting it if none of your credentials are working.

This was hard journey an painful learning experience for inexperienced ones like me. A lot of guessing or assuming involved here. and of course a lot of rabbit holes. Anyway. Learned a lot.

This was my last “easy” rated active box left and it was quite interesting, the most “challenging” part was the foothold, had some problems with user due configurations… root was less than an hour…

for foothold enum, when you get something enum againg with the new info there are several hints allready about it… I certanily learnt something new out of this.

for user (at least in my case) make sure that what you are doing you are trying to do with the right privs… and try not to be closed to the outside (wasted at least an hour because of that…)

for root its important to know how to lead the snake

I hope not to be saying too much (its the first time im giving hits like this)

I was able to learn a lot with this box, thanks to @polarbearer & @GibParadox for this machine.

ROOTED!

This machine was very difficult but I enjoyed every step! I didn’t know Ad***** vulnerability, but then I discovered there were also APT campaigns that exploited it, so the first part is very real-life in my opinion. Thanks to creators @GibParadox & @polarbearer !

Foothold: you have to do directory/files enumeration in every path you found, then, when you are able to, get everything from the lowest service and inspect it accurately . Common wordlists are enough to retrieve whay you need.

User: This part was very cool! Google about the “thing” and setup your server correctly, if you did correctly the previous step you will know what to look for.

Root: if you don’t know the trick (like me) probably it will take a long time. Basically you have to make a script run something that seems identical to something else :slight_smile:

![same](upload://fT348VV7gjqhhgzB1l5ZbcCMbn8.gif "icon")

Feel free to PM me if you get stuck.

For an ‘easy’ machine this machine is challenging!
All the hints on the forum will help although piecing it together can be tough.
The path to root is easy to find without any tools, however, I struggled to get things to run as it was all new to me.

Thanks to those who help, you know who you are.

Feel for me PM if you need a nudge or two.