Official Academy Discussion

Rooted now, learned some things doing this box!

What a traumatic machine… I was soo frustrated, that I was going to skip this machine. Thanks to @IvanV who motivated me to go on.

Lesson learned: Even when you think you know how to retrieve things, GOOGLE IT!!! ?

Anyone do the user part manually?

I was able to escalate my privs on the webpage but I don’t fully understand why it worked that way. Can someone point me in the right direction on documentation or explain why changing a certain value worked the way it did? Thanks in advanced!

Rooted the machine, it was really fun box, learned alot.
PM for nudge, good luck

Rooted. The hardest part was definitely getting that 2nd user. Foothold wasn’t too bad and root was the easiest. @sh4d0wless mentioned updating enum script and running again. That’s what did it for me.

I too am stuck on the foothold thing. I believe I found the small change I need to make I would be happy to discuss my strategy to see if I am headed in the right direction. So far none of the changes allows any new accesses. I’m sure its got to be something even more simple than what I’m attempting…

@Sc0rp10ne said:

I too am stuck on the foothold thing. I believe I found the small change I need to make I would be happy to discuss my strategy to see if I am headed in the right direction. So far none of the changes allows any new accesses. I’m sure its got to be something even more simple than what I’m attempting…

It is a small change. When you make it and it still works, you can log in to a new page with the credentials you have created.

@moose said:

I was able to escalate my privs on the webpage but I don’t fully understand why it worked that way. Can someone point me in the right direction on documentation or explain why changing a certain value worked the way it did? Thanks in advanced!

Its not a “standard” thing its just down to how the webapp was coded.

Rooted!
I wasn’t a fan of the way we switch between users, I feel it’s a little too far fetched. At least the method that I used, I’m happy to find out how others did it!

Type your comment> @TazWake said:

@Sc0rp10ne said:

I too am stuck on the foothold thing. I believe I found the small change I need to make I would be happy to discuss my strategy to see if I am headed in the right direction. So far none of the changes allows any new accesses. I’m sure its got to be something even more simple than what I’m attempting…

It is a small change. When you make it and it still works, you can log in to a new page with the credentials you have created.

Thanks @TazWake! Your hints worked. It was a simpler change than I even imagined. Also realized I need to spend some quality time learning gobuster. Forgot to run some features to help find the nuggets I’ve been looking for. On to the next stage \o/

Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

Foothold

When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

User 1

You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

User 2

A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
This is the best I can give without spoiling it for others

Root

If you made it to this point just gtfo here.

Thank @Dilan for narrowing my search for the second user.
PM for a nudge.

Can someone please nudge me? I’m stuck after getting reverse-shell as a www-data user, I can see ******* user.txt file but can’t read it. I don’t understand where to go further.

Type your comment> @bascoe10 said:

Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

Foothold

When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

User 1

You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

User 2

A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
This is the best I can give without spoiling it for others

Root

If you made it to this point just gtfo here.

Thank @Dilan for narrowing my search for the second user.
PM for a nudge> @bascoe10 said:
Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

Foothold

When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

User 1

You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

User 2

A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
This is the best I can give without spoiling it for others

Root

If you made it to this point just gtfo here.

Thank @Dilan for narrowing my search for the second user.
PM for a nudge.

Could you help me narrow my search please ? Stuck on User2

Rooted!
Thanks to @deepansh0xB for the nudge! I learn my lesson here.

Nice box, im done with it.

@kalkipoison said:

Can someone please nudge me? I’m stuck after getting reverse-shell as a www-data user, I can see ******* user.txt file but can’t read it. I don’t understand where to go further.

Enumerate. If you ran a tool like nikto against the site, or did a good job with dirb/dirbuster/gobuster/whatever then you should have seen some files that look interesting but you couldn’t access them.

You can look at them in the filesystem.

If you get any credentials always check for password reuse.

Rooted

I thank everyone who gave me tips, but especially to @Harbard thanks for your patience, without you it would not be possible.

I’m a beginner and it was a little complicated, I learned a lot.

Really stuck on user 2, trawling through the logs at the mo with grep and zgrep but really need direction on best things to look for, any help would be most appreciated. Enjoying box so far…

@foalma321 said:

Really stuck on user 2, trawling through the logs at the mo with grep and zgrep but really need direction on best things to look for, any help would be most appreciated. Enjoying box so far…

If you ran a tool like nikto against the site, or did a good job with dirb/dirbuster/gobuster/whatever then you should have seen some files that look interesting but you couldn’t access them.

You can look at them in the filesystem.

If you get any credentials always check for password reuse.