Official Blunder Discussion

“This exploit may require manual cleanup of ‘.********’ on the target”

Stuck here… is part of chall or is my problem only ?

Type your comment> @in3vitab13 said:

for root!
google has always been your buddy

Congrats buddy.
Always try to read older comments as it most probably have enough hints. :wink:

Pretty fun box, but I really didn’t have the attention span for the second step of the first foothold. ■■■■

root@blunder:~# id
uid=0(root) gid=0(root) groups=0(root)

Type your comment> @Jok3 said:

“This exploit may require manual cleanup of ‘.********’ on the target”

Stuck here… is part of chall or is my problem only ?

had the same problem!
found a python exp. instead of m**!
you could do the same!

I just stuck in getting the root.
I found user S*n is in group ld.
After googling, I found that I can get use of it.
But the machine is missing l
c…
So, am I in a wrong track?

Type your comment> @6uta said:

I just stuck in getting the root.
I found user S**n is in group ld.
After googling, I found that I can get use of it.
But the machine is missing l*c…
So, am I in a wrong track?

The root was pretty easy. Just sit back and think about what you see.

Open to PMs on this box. Initial foothold is killing me.

@JohnGuy said:

Open to PMs on this box. Initial foothold is killing me.

Make sure you’ve found the username and built your own wordlist. Then google how to byass the protection.

Finally rooted
Initial foothold:be cewl about the word list and make sure you have the right username
User: start enumerating from where you landed
Root:just google you privilege

PM if you need help

Rooted
root@blunder:/root# id && date
id && date
uid=0(root) gid=1001(hugo) groups=1001(hugo)
Mon 6 Jul 11:16:09 BST 2020
root@blunder:/root#

Foothold: Read the “index.html” and create your own wordlist (can’t say more).
User: Look at the directories you’ve first found when you accessed the machine and start enumerating from there.
Root: Find your privileges…

Type your comment> @Karthik0x00 said:

Type your comment> @6uta said:

I just stuck in getting the root.
I found user S**n is in group ld.
After googling, I found that I can get use of it.
But the machine is missing l*c…
So, am I in a wrong track?

The root was pretty easy. Just sit back and think about what you see.

So, I should let go “l * d” ?

@6uta said:

So, I should let go “l * d” ?

I dont know what that is, but the short answer is “yes”.

Privesc is pretty simple if you do your enumeration.

Type your comment> @TazWake said:

@6uta said:

So, I should let go “l * d” ?

I dont know what that is, but the short answer is “yes”.

Privesc is pretty simple if you do your enumeration.
Thank you.
I will just enumerate again from the beginning.


Rooted.
I found that I spent a whole day on enumerating a user which I should not enumerate.
My problem is super quick to switch from user H to user S…

Spoiler Removed

Hi,

I’m a bit stuck and could use a little help or a push in the right direction.

I have a shell like www … and I found an interesting file with two hashes. one from a user with which we could get a shell and a new one.

I identified the hash type and tested it with the known one. However, for the new hash I keep getting Exhausted, various word lists use a custom one and a frequently used one, the same for both.

Is this a rabbit hole and a completely wrong direction … or am I missing something?

Thanks for the push

@mrZapp said:

Is this a rabbit hole and a completely wrong direction … or am I missing something?

This is the correct direction. If it isn’t in your wordlist it won’t crack. Try an online tool such as a station which cracks.

Type your comment> @TazWake said:

@mrZapp said:

Is this a rabbit hole and a completely wrong direction … or am I missing something?

This is the correct direction. If it isn’t in your wordlist it won’t crack. Try an online tool such as a station which cracks.

Thank you ,

With your tip, it took me less than ten minutes and a new file to explore to get out. Sometimes we just have a blind spot :slight_smile:

now to root

Spoiler Removed

Learnt some new techniques from this. Also I now have a 15GB wordlist to use in the future, if the popular one fails. This box was trickier than I expected, but I really liked it.

Rooted.

There is an abundance of information here in the forums, which was good for me because I was really stuck on finding the file with the initial foothold username. Once I got that, however, the rest was pretty easy. Also, you can ignore the screenshots. The information in them is unhelpful and inaccurate.