Official Passage Discussion

Type your comment> @Limpskinz said:

Could someone give me a hint? I found the /CeN*/ L**** p*** and now i don’t know what to do with it, I barely found it almost by accident without the dirbuster

There is no need of dirbuster to get the shell. Just read everything on the webpage and use google.

Type your comment> @gs4l said:

Type your comment> @Limpskinz said:

Could someone give me a hint? I found the /CeN*/ L**** p*** and now i don’t know what to do with it, I barely found it almost by accident without the dirbuster

There is no need of dirbuster to get the shell. Just read everything on the webpage and use google.

after some googling i found an et and after running it i’m in a sl in www-data with a suspicious file named ex*** and a lot of .php files, am i on the right track?

Type your comment> @TazWake said:

@PapyrusTheGuru said:

No idea how to get user.txt, I feel like I’ve looked around everywhere, can someone point me to the right direction? thank you.

Its difficult to answer this because the simplest non-spoiler answer is to enumerate. Look in the files and folders. Make sure you know what you’ve found and dont assume because something looks like a random string of characters that it isn’t useful.

But there’s a lot of data to work through. Unfortunately, this is realistic - you might do a pentest and land on a box which has 30 user’s documents and you have to go through terabytes of tedious stuff to see if they’ve left credentials out.

The main thing I can say is dont go too far from where your shell lands. Look at the files. If its encoded, decode it. If its hashed try to crack it. etc.

Understood, nonetheless thank you so much! I appreciate whatever help I can get :slight_smile:

Type your comment> @TazWake said:

@MillyBilligan said:

Hey guys! I need a hint. So i have a ww-dta shell, got decrypted creds to ************* but i can’t drop to theirs accounts because w**-d*ta shell don’t take input, like su and ssh requires a key file. I should enumerate next too?

Have you tried getting a better shell?

Yea, i tried to upgrade shell but nothing…I should search a file on machine that can help me?

@MillyBilligan said:

Yea, i tried to upgrade shell but nothing…I should search a file on machine that can help me?

It might be better to try and work out why the upgrade isn’t working. I dont think there is anything else on the machine which would be useful.

I’ve got both user but now I am stuck at root. I’ve found the relevant article but I am not sure what to do after it, as far as I understand the exploit helps make r*** owned files, but I am not sure how I should be using it (considering the fact that I’ve logged as User2 but I don’t have the password so I can’t use sudo either).

A nudge would be much appreciated.

Type your comment> @0xR3tr0z said:

I’ve got both user but now I am stuck at root. I’ve found the relevant article but I am not sure what to do after it, as far as I understand the exploit helps make r*** owned files, but I am not sure how I should be using it (considering the fact that I’ve logged as User2 but I don’t have the password so I can’t use sudo either).

A nudge would be much appreciated.

You don’t need to use sudo, just stay at home make sure to liste all files, you will see something interesting !

STOP RESETTING THE MACHINE.
THE RESET BUTTON IT’S NOT A “PRESS ME I’M A FUNNY BUTTON”

Type your comment> @PinguBlasfemo said:

STOP RESETTING THE MACHINE.
THE RESET BUTTON IT’S NOT A “PRESS ME I’M A FUNNY BUTTON”

Check the shoutbox to cancel unnecessary resets in your VPN pool.

Type your comment> @TazWake said:

@Shides said:

Currently I’m stucked on root :neutral: any hint is appreciated :lol:
until now I really enjoyed the machine, one of my favourite.

Enumerate. Look for something which has certain settings that you can use to your advantage.

Finally rooted!

Thank you for your reply man.

(AFAIC, I think that hints like “stay home” are confusing)

Type your comment> @0xR3tr0z said:

I’ve got both user but now I am stuck at root. I’ve found the relevant article but I am not sure what to do after it, as far as I understand the exploit helps make r*** owned files, but I am not sure how I should be using it (considering the fact that I’ve logged as User2 but I don’t have the password so I can’t use sudo either).

A nudge would be much appreciated.

Read the exploit docs, think of how else it can be used. Get creative, there are at least 3 ways to do it.

Spoiler Removed

I do not understand why some people paste shadow, passwd, and root.txt file in low-priv user. Please do not spoil this great platform and the learning of other users.

I don’t understand why people reference rockyou the way they have above? its standard knowledge that if cracking is required, they will generally fall in rockyou or other publicly avail password lists…
Same goes for starring out part of www-data and other very easily enumerated users on boxes

really stuck on user 2 , saw people talking about staying at home, but the only interesting file I found in home is .ICE******. I tried all the strings that looked like passwords but none worked. Anybody got a hint?

Curious of what spoiler I posted?

Just completed. Route through users was quite typical and straightforward, however root was really quite new for me. Without hints from forum routing would be rather difficult. Another subject to a deeper study. Really nice box!

Rooted this box. But i got some question to people who have found the vulnerability for the rootpart by themselves. Can someone PM me ?

@astrozombie said:

Curious of what spoiler I posted?

I’ve no idea and people do report things for varied reasons. If you mentioned a CVE number or specific exploit it is likely to be reported.

Type your comment> @TazWake said:

@astrozombie said:

(Quote)
I’ve no idea and people do report things for varied reasons. If you mentioned a CVE number or specific exploit it is likely to be reported.

Thanks for the reply. I didn’t have anything like that but wanted to ensure I’m not breaking any rules here inadvertently. I try to keep it pretty vague with any hints.

Cheers