first thing: the -s…
second thing: u…e=j… ?? this one!
any article describing the second thing?
This was a weak part of this box, found by guessing (number of possibilities is limited). This one part could have been arranged better IMHO. Overall very enjoyable box. Regarding root part - if one exploit does not work, then try another. Do not waste too much time like me -
First time taking on BSD machine. I think I found all elements I could get from enum and googling, however I can’t seem to get my foot in. I’m probably not providing the information in a correct way :(.
EDIT: I think I’m on something, let’s hope it will work !
EDIT2: Rooted. Once in, it’s almost a piece of cake.
For me, the foothold wasn’t too tough, but a failure during the enumeration killed about 6 hours of my time. See, when I enumerated, the tool I used told me that a certain thing was inaccessible, so I never tried to further enumerate it. Thus, even though I had found the CVE, and had seen what -s********* could do, I was stuck. I had not found the much discussed binary or the username. Much thanks to @cre4k on discord for encouraging me to go back and check that unreadable thing again; I honestly didn’t know if I was missing something obvious (I was) or had a fundamental misunderstanding of what was going on.
Once I went back and checked that, and found out what was hiding there, the foothold was just trial-and-error and some handwaving, and everything after that was quick.
So I guess the lesson is, if you’re stuck, go back and re-enumerate just to see if anything comes up different the second time around.
Could someone explain why the foothold works the way it works?
It is difficult without insane amounts of spoilers. If you google the process you can find a series of articles and blog posts which talk about the vulnerability being exploited which might help.
Just rooted, this was a fun one. I’d actually say this was easier than most of the easy boxes out right now.
But I’m still confused about the foothold. I struggled pretty hard with the second step of the foothold where you have to adjust something to get the user you want… I got it to work eventually but used an extension to help me out. I’m still unsure how you could manually modify the request to get what you want.
I saw a prior comment about adding something with a semicolon, but couldn’t figure out how to do it after unsuccessfully trying a few different ways… could I message someone to try to understand how this works?
This is one of those boxes where you just have to tough it out.
Foothold is definitely the most mind tiring phases of this box, after that its a matter of constant research
Its all on google, after finding that valuable article adapt what you found to the circumstances and dont rely on it too much.
Had no need to Reverse Engineer.
I somehow managed to enumerate so well that I found the privilege escalation vulnerability before even getting a shell on the system, that was quite weird. Anyways I rooted it! what a great box! Thanks for @N3s for the assistance during the initial foothold.
Initial foothold:
Remember the OS you are trying to pwn.
Enumeration, enumeration, enumeration
Don’t over complicate things at all, imagine how the file you found can connect to something else, and how it may interact with index.php.
Root:
Google & Enumeration, and also backtrack from the previous vulnerability you found.
I’m sorry if I’m revealing too much, please do not hesitate to delete/remove this post if that is the case.
As always, knowledge is very subjective, some people know more, some people know less, and that’s fine! If you’re still exhausted and confused out of options, do not hesitate to DM me! I am utmost willing to nudge you in the right direction.
finally rooted. got stuck on root for several hours…
guys, if smthing not working - search for other ways. when you find right way all things will go smoothly.
good luck
So I managed to root this box a few days ago. I would like to thank @TazWake for the nudge on the initial foothold.
Here are some hints:
User: Enumerate, google and some tasty baked goods
Root: IF you have gotten this far, remember how you got in. See if that thing could help you priv esc. If you did your enumeration correctly this should be very straight forward.
Alright Team, Im asking this in here in hopes that someone can finally assist. I have watched every IPPSEC video that I can and still cant figure this out.
Whenever I am in a remote shell and want to edit a file ie:php file, I open vi and when I utilize my arrow keys to try and navigate, it leaves a ton of silly characters and greatly degrades my ability to edit ANY file. I watch IPPSEC crush edits in vi and I cannot for the life of me figure out how to make my terminal operate unhindered like he does.
Alright Team, Im asking this in here in hopes that someone can finally assist. I have watched every IPPSEC video that I can and still cant figure this out.
Whenever I am in a remote shell and want to edit a file ie:php file, I open vi and when I utilize my arrow keys to try and navigate, it leaves a ton of silly characters and greatly degrades my ability to edit ANY file. I watch IPPSEC crush edits in vi and I cannot for the life of me figure out how to make my terminal operate unhindered like he does.
ANY HELP WOULD BE AMAZING!
Not super helpful but I dont use vi if I can avoid it - I find nano is much more effective on HTB boxes.
The characters you are are probably the result of the terminal emulator not really understanding what it going on (for example if you are using nc to sling bash, it isn’t a terminal in the normal sense), so some of the shell “upgrade” fixes might solve it.
However, as I said, I gave up trying to fix this and just use nano on HTB.