Travel

i have got these 2 files r**_********.php ********.php need help in command injection

Spoiler Removed

can anyone help with m********d part ??

Rooted. Whew. That was a hard box. The initial foothold was the trickiest, and I admit I needed some great nudges from @TazWake @gunroot and @Roinard. Thanks to all of you, much respect will be coming. Once I had that it was a matter of chugging through the steps.

I don’t have anything to add to what has already been posted here.

That was a total beast and thanks to the folks that stayed with me through that one. For some reason this gave me the most problems of all the boxes I’ve done and I’d like to understand why. I’m interested in the mindset and approach taken for that initial foothold. Please DM if you have a write up and would be willing to share so I don’t have to wait for the machine to retire - it’s really bugging me. I’ve rooted and can provide evidence so you know I’m not looking for spoilers and cheating.

Most difficult box I’ve completed; definitely needed some help along the way.
If you need a push, let me know.

Very tough to get foothold, had to come back many times with a fresh head and re-think.
PE is fantastic, read and learned a lot on the way. Something i heard about but never actually did.
I would rate the user flag as insane, at least it felt sometimes that i would go in that direction ;=)

@dieterh said:

Very tough to get foothold, had to come back many times with a fresh head and re-think.
PE is fantastic, read and learned a lot on the way. Something i heard about but never actually did.
I would rate the user flag as insane, at least it felt sometimes that i would go in that direction ;=)

I agree.

Privesc was enjoyable but much more straight forward than user. Getting that initial foothold is super hard work.

Spoiler Removed

Wow what a trip. Took me a few days but I LOVE boxes like this. Custom exploitation, pouring through source code, reading pages of documentation. This is why we do it.
Thank you @xct and @jkr, great box. Probably going to clean up my disgusting travel directory, update my notes, and digest all of that.

Also @applepyguy, thanks for putting up with me and helping me through it.

Type your comment> @lebutter said:

Am i the only one who is trying to get a replica of the blog setup locally ? The Simplepie stuff is NOT working in my case and i have no idead why… i’m feeding it the original same file, it’s pretty much 100% same code as from the server… yet it doesn’t display the travels.

You may lookup the error. A simple google quickly revealed for me what I was missing.

Hint: It was not directly related to Simplepie but m*******e - missing as a module. You also find hints to it in the “main” source file.

Good luck :slight_smile:

Thanks… but i’m not using m****, i’m basically running the simplest version of it, i’ve got it down to pretty much the same as what they show on tutos… yet, it doesn’t query that feed file and doesn’t return anything. No error either. So far i’ve basically spent most of my time trying to create a freaking one page wordpress blog, this is driving me nuts.

Finally got it. I never managed to get my replica of the bl** working but that wasn’t completely necessary. This server was insane for me.

The foothold is definitely the hardest. Many times i though i was going too much down a rabbit hole and thought myself thinking “this is too convoluted”, when buried into source code to my neck… which for me is tricky as i’m not a developper. I struggle to follow code in big code bases.

User and root are easier although not that straight forward as it relies on a service i hate.

Rooted it! The foothold was very, very hard, but very, very enjoyable! Thanks @xct and @jkr for this awesome box! Also thanks @Roinard and @anoNym1ty for the nudges!
If you need a small nudge, feel free to send me a PM!

Is anyone doing this box?

Type your comment> @all said:

Is anyone doing this box?

I was last night, got a bit stuck but planning on having another crack at it!

Type your comment> @JaXigt said:

Type your comment> @all said:

Is anyone doing this box?

I was last night, got a bit stuck but planning on having another crack at it!

OK, great. Looked through threads here and hints are too cryptic. My line of thought is perhaps there is something there in r** page and j**n *pi

@all said:

OK, great. Looked through threads here and hints are too cryptic. My line of thought is perhaps there is something there in r** page and j**n *pi

It kind of depends on where you are stuck. User is a lot harder than root here.

If you are looking for user - enumerate it a lot, find something, dump it and read it. By reading it you should get an idea about what is vulnerable in the code, then you can build an attack to exploit this. I found this step very hard with a lot of trial and error to get the right syntax.

Eventually, this gets you a foothold. More enumeration, find something which allows you to connect properly with a real shell and you can get user. Privesc is, compared to that, quite straight forward.

Tough, but awesome experience. Props to the makers. PM for nudges.

Hello, can someone give me a hint on the “basic enumeration” after the first shell. I found one password and some uncrackable password hashes. That’s basically it - I dont know how to proceed from here.

Edit: Somehow hashcat did not work for me. I used john instead and it worked. Thanks @TazWake