There is a lot of great advice on here, but I’ll be honest, almost none if it helped me. Its easy to give vague references when you already know how to pwn the box. Most of the time, I find myself going back through the comments on a box I owned just to understand some of the comments I read about beforehand.
So constructive advice I have:
Get into a routine, approach every box the same way. That way, you can understand when something is out of place. If you find new techniques or tools, add them into your routine.
Learn how to learn. These forums aren’t here to give you the answers, they’re here to encourage you to put in the time and the effort to pwn the box. If you aren’t willing to put up, then shut up. Reach out to specific members for piecemeal advice as needed, but not to gain an answer about pwning the box, but rather to increase your understanding of what you are trying to accomplish. To be fair, those two do occasionally go hand in hand.
Work at it. Go beyond your comfort zone. Put in the time to learn something completely new. This whole box for me was completely new. I had no idea about any of it, but I studied for about a week on the service in question, and got familiar with its functionality.
This is one of those you try something you think should work, and it doesn’t so you move on and go down a useless rabbit hole. So everything has been said in this thread. All the comments about enumeration are right. And enumeration isn’t hard. One or two simple commands will reveal the right path. There’s really only two options once you see the path so go for the easier oene
Then comes execution. Assuming you set it up right, my recommendation is you read the man page of the tool/client/thing you’re using to get root. That will open your eyes to possibilities of what you can do with your current resources.
This last comment relates to an issue I encountered on execution so it may be irrelevant, but if you use the material from the man page in your command/execution, it may work, but if it doesn’t and keeps spitting out the help message, try augmenting the command and stick with it.
Above all, ignore the comments about “poison” and posting of videos. I went down some rabbit hole trying to use the mixer on the system and special file which was dumb. The path is pretty standard though does require enumeration, some knowledge of the services running (though pretty basic knowledge), and understanding how to do the thing to make the thing possible.
I must just be plain simply blind.
decoding the password was easy but I can’t seem to find the username…
I looked into every page and its source searched FreeBSD default values and somehow I’m missing something that should be so simple…
hint/pm would be nice…
got user, got content of zip file, found the root service and tried to connect: auth successful but white screen D:
Have I any problem on my machine, or is it normal?
Hello guys,
I got the user flag, I cracked the zip and I think I know what to do now but I cannot do it after several hours trying.
Can someone PM for quick help please?
Thank
@sammysep said:
Hey anyone able to PM about this box? i extracted the zip file, I know what service im supposed to target but I am just stuck putting it all together. Been working on this off and on for a few days and would love just a little nudge to get over this last bump
Poison was the first machine for me to get user and root on. It took time, but every minute was worth it. For sure it is a nice machine and I learnt a lot on the way while I was getting in. I like how the complete picture was getting more and more clear while I was getting through the steps. Thanks for this experience.
For the ones who are still fighting to get in, all the hints are right in this thread. Do not overthink. Look at whats running on the machine and understand how they are working. And this applies to the user as well as to the root level. No bruteforce needed on the way. Look at whats running on the machine and look at what you have. All you need is there. You just have to use it.
hint for root: it was confusing at first because so many people were on it. once you find the method of privesc, make sure you understand which ports are which. Then you might see that there’s a little extra you have to do other than just connecting right away.
@T3jv1l one thing for sure. There is no need for bruteforce on this machine. Everything is provided, you just have to find it and use it in the correct way. There are many hints in the thread, but you overthink it. Like before me people said, go for it like a normal machine, not like the poison machine. Like how would you go for a black box, where you know nothing about the usernames or even the system. The other hint was to enumerate and understand the system, understand what is running and understand how those things work on different ways, like really understand the system and the services. When you understand it with all the possibilities and functions, the picture will get clear and you will know how to go further. Even a link was here in the thread before which helped me a lot to understand how to approach the privesc part. Keep up the good work! You will make it.
Ok, I have the decoded password. I’ve tried to ssh with www, poison, and a few other random usernames with no luck. Am I at least on the right track to getting in?
@XxCrashNBurnxX said:
There is a lot of great advice on here, but I’ll be honest, almost none if it helped me. Its easy to give vague references when you already know how to pwn the box. Most of the time, I find myself going back through the comments on a box I owned just to understand some of the comments I read about beforehand.
This is actually something I fully agree with. Even picking out the good hints from the forums can be a good skill to have.
The clue that helped me the most was the one about running services. It might not be obvious (which it certainly wasn’t to me) which service looks “suspicious”, but I believe that intuition is something that would come with experience. Another clue that helped was more spoiler-ish, so I won’t include it here.