Official Compromised Discussion

Please stop uploading files it crashes the server and has nothing to do with the exploit

$: ls /home
<Response [200]>

$:

Oh you don’t wanna print anything? Yea… that’s cool…

Type your comment> @sparkla said:

[Redacted] - I stand to every word I said and that includes I have no intention to hurt or harm creators, the project or anyone else. It also includes, a lot of things aren’t ok. Lets hope, they get better.

Of course you do, and of course no one wants to hurt anyone. You raised your concerns and I gave you an absolutely free of charge advise how could you possibly start feeling better and how can you find the peace of mind you’ve apparently lost. Nothing more than that.

It is an interesting box and it is nice to see some DFIR skills being needed. Thanks to @D4nch3n for taking the time and effort to build this!

I found it very enjoyable and the process was fairly straight forward. I can see how people might get frustrated though, my main tip would be slow down and make sure you’ve thought of what you are doing.

This box will definitely punish people who rush to get a reverse shell.

#Sort of hints

Initial Foothold: the public exploit does work but needs modification. Investigate why it fails and there is also public information on how to fix this.

First account: Enumeration is the key. The information is available in at least two places. You can use this to access something via the initial foothold. Enumerate what it can do and then you can convince it to trust you so you can access as this account.

Second account: You should know what account you want. Enumerate carefully and find loot. Use loot.

Privesc: The box name is a hint. Look for things left behind. Use the hints on page 1. Ghidra helps but there are lots of other ways to do this. Find loot. Use loot.

Overall, really good box which sits nicely in the “hard” bracket.

@TazWake said:
It is an interesting box and it is nice to see some DFIR skills being needed. Thanks to @D4nch3n for taking the time and effort to build this!

I found it very enjoyable and the process was fairly straight forward. I can see how people might get frustrated though, my main tip would be slow down and make sure you’ve thought of what you are doing.

This box will definitely punish people who rush to get a reverse shell.

#Sort of hints

Initial Foothold: the public exploit does work but needs modification. Investigate why it fails and there is also public information on how to fix this.

First account: Enumeration is the key. The information is available in at least two places. You can use this to access something via the initial foothold. Enumerate what it can do and then you can convince it to trust you so you can access as this account.

Second account: You should know what account you want. Enumerate carefully and find loot. Use loot.

Privesc: The box name is a hint. Look for things left behind. Use the hints on page 1. Ghidra helps but there are lots of other ways to do this. Find loot. Use loot.

Overall, really good box which sits nicely in the “hard” bracket.

I really thought I was gonna get this one before you… ended up having to spend all day on homework smh :joy:

@LMAY75 said:

I really thought I was gonna get this one before you… ended up having to spend all day on homework smh :joy:

Sorry! I had a slight advantage for privesc though as it aligned fairly well to my day job…

Rooted! Nice machine.
Learned some good stuffs.
The root part is tricky and awesome.

For Foothold: Google FU.
For user: Enumeration
For Root: If you got something, play with it in all possible orders. :wink:

Yup the root is a bit of a kicker… got user a while back - shell’s arent that unstable. Good box.

Can I get some help trying to dump this s** db? The shell doesn’t seem to like my commands.

Edit: got it, for anyone facing the same problem I had to use --password instead of -p

@sparkla said:

I managed to get a real shell afterwards but user.txt wasn’t in the location shown by the locate command. Not sure if that was intended or another “user manipulation”, it was very late so I didn’t reset the box to check again.

The user flag is where it should be. I suspect that if you aren’t in the right account you can’t see it.

@sparkla said:

Try

locate user.txt

Maybe that helps to understand my question.

I will tomorrow.

Keep in mind, locate does a search in the updatedb database - it will only find files that are stored in the db. It is often not as effective as a find command.

For example find / -name "user.txt" 2>/dev/null would, in most situations be a better choice. (I have no idea if it would work on this box, I never tried it). File permissions can affect both.

I have never been so stuck in my entire life :joy:

@sparkla said:

Try

locate user.txt

Maybe that helps to understand my question.

Ok - so having tried this I might have a better idea what you mean.

Somethings to consider:

  • locate is (at least in my experience) really hit and miss. It frequently misses file on my local system because I dont keep the database up to date.
  • each user account has set privs, if the account you are in doesn’t have privs to see the file, you might not be able to find it with other tools. Keep in mind what account is being used by which “exploit.”
  • If you use the second account via the first bit, the output is muddy so it isn’t great for broad searching (targeted enumeration still works).

On this box, there is no need to hunt the flags. They are exactly where they should be.

@sparkla said:

@TazWake that is exactly the reason why I was asking myself if someone manipulated the box. Locate shows the past, I don’t know which past.

Ah, interesting. When I ran locate just now it returned nothing! :smile:

In my case locate showed user.txt should be in home of my***. But it wasn’t.

It should be. If it isn’t someone messed with your box.

EDITED TO ADD:

I am sorry, I’ve realised I might have added to the confusion here because I wasn’t paying enough attention to detail in my replies.

Hopefully, this is cleared up now.

Type your comment> @sparkla said:

@TazWake Edit: Posts were timed badly. Now you answered my questions, thanks.

Awesome - I think I understand at last!

Hopefully, we are communicating on the same frequency now :smile:

It is a crying shame that so many people think it is funny/clever to break the boxes for other people. I wish more Linux boxes set the immutable flag on the flags.

Got user, wasn’t so much hard as it was I had never used this method before and couldn’t find anything online about it. Thanks to @TazWake for walking me through the second half with the S** service trickery.

Onto root, from what I see on this thread this will certainly go over my head. I have 0 knowledge of reversing… should be interesting.

Been increasing the difficulty over the past 2 weeks, Unbalanced was a cakewalk but this is definitely my max.

Edit: Starting the 6 hr ghidra crash course lol wish me luck

Really interesting box! I have learned a few news things!!
Thanks for the hints and Congrats @D4nch3n !

Pm if you need a small nudge :wink:

How did you guys transfer the interesting file back over to your local macine? scp hangs when I try to connect back to my personal ssh server

Netcat worked for me, but YMMV.

Type your comment> @LMAY75 said:

How did you guys transfer the interesting file back over to your local macine? scp hangs when I try to connect back to my personal ssh server

A lot of ways are there! Scp, Nc, Pyserver, need more? Google it.