Official Doctor Discussion

Finally rooted! It was a fun box, definitely humbles you… Once you gain foothold, enumerate well on all services and check out what high ports might be vulnerable. Then I suggest google to see where that would store the credentials :wink:

I would appreciate a nudge for finding and exploiting the S**i vulnerability. Been looking for hours and I just don’t see it…

@h0ll0w666 said:

I would appreciate a nudge for finding and exploiting the S**i vulnerability. Been looking for hours and I just don’t see it…

Two things:

  • make sure you know the right pages to look at to trigger anything you’ve injected
  • make sure you have the right two letters in between the S and i.

Got root today. Fun box! Initial foothold was definitely the toughest.

Feel free to DM if you find yourself stuck and need a nudge.

faced a rabbit hole while trying to get root. Noticed that python2 binary has cap_sys_ptrace capability. And I thought it is the way to root, but after several hours I realized that kernel.yama.ptrace_scope is set on Ubuntu and there is no possibility to change it on runtime…

Finally got root, nice box, not so easy as I thought!

can anyone help with the foothold im on m*******g and know i will need to exploit si but nothing works. i also found the a*e where titles show up but no si

@karimwassef said:

can anyone help with the foothold im on m*******g and know i will need to exploit si but nothing works. i also found the a*e where titles show up but no si

Do you have the right s**i?

Initial foothold was a little difficult, but everything after that was pretty straightforward. Plenty of tips in this thread but PM me if you need a nudge.

Stuck with port scan in Doctor machine… all ports are filtered :frowning:
used syn stealth scan…

Type your comment> @TazWake said:

@karimwassef said:

can anyone help with the foothold im on m*******g and know i will need to exploit si but nothing works. i also found the a*e where titles show up but no si

Do you have the right s**i?

I honestly don’t know, i haven’t really messed around with it before

@karimwassef said:

I honestly don’t know, i haven’t really messed around with it before

One of the payloads on payloads all the things works.

do i have to split the e**l c****g payload into seperate messages for it to work because i keep getting a 500

Type your comment> @karimwassef said:

do i have to split the e**l c****g payload into seperate messages for it to work because i keep getting a 500

Didnt use that one , all the things have one that just needs an adjusted payload.

Currently have user but just wondered if anyone can tell me if S****k is the way to root ? have exploit but wondering if can be run without creds. Or am i in the wrong direction ?
Thanks

@foalma321 said:

Currently have user but just wondered if anyone can tell me if S****k is the way to root?

Yes

have exploit but wondering if can be run without creds. Or am i in the wrong direction ?

You need creds - don’t you have them?

Type your comment> @TazWake said:

@foalma321 said:

Currently have user but just wondered if anyone can tell me if S****k is the way to root?

Yes

have exploit but wondering if can be run without creds. Or am i in the wrong direction ?

You need creds - don’t you have them?

No. guess i need to enumerate more…
Thanks for letting me know im on the right path.

seems like i do have creds, got it working but not executing payload yet more tinkering needed .If the quite exploit does infact work.

Type your comment> @foalma321 said:

seems like i do have creds, got it working but not executing payload yet more tinkering needed .If the quite exploit does infact work.

I can get it to run commands , have tried ping and have netcatted a file transfer, wrote a file…but cannot get a reverse sheel to pop…am i looking at this wrong ?

Type your comment

OK Have root flag and have RCE on box but cannot get a reverse sheel as root.So dont know if i can say ive rooted it.