Official Ophiuchi Discussion

rooted. thanks @felamos for a fun box.

lots of good hints in the thread above. for the final step I would add that if you have the right tool, getting the strange file to do what you want isn’t too difficult.

PM if you need help.

Rooted !

Nice box, definitely easier to modify original file for root.

PM if needed :slight_smile:

Hey, can anyone help me? Having trouble with my payload. Don’t want to leave any spoilers so if I can DM that’d be great.

Finally rooted. Thanks @felamos for the box! The amount of things I learned in this box is insane. Root was pretty hard for me, and capturing that flag was the most satisfying thing ever…

Foothold

Google like your life depends on it. Take your sweet time to read all the way through the articles you find until things work.


User

Enumeration. That’s it. Don’t be like me, I literally saw what I needed to see and completely missed it. Wasted hours because of it…


Root

Look for something nice. See what it does and where the things it uses are. Maybe try to see things differently and change some stuff. The place you are does matter .


Feel free to PM for nudges :slight_smile:

Does anyone know why I can’t sumbit flag?

Initial:
Getting RCE is easy if you enumerate and investigate like with any box. It’s pretty obvious and there are a lot of resources available to get you up to speed.

User:
haven’t seen it mentioned here, but those that are after a reverse shell don’t need one - you can go straight to user from RCE. The application’s thread process behavior isn’t super conducive to grabbing reverse shells. I didn’t want to mess with it and I recommend you don’t either, so poke around.

Administrator:
Root is really simple once you figure the quickest way to write what you need. You have a LOT of choices, so it’s really whatever you’re comfortable with, but one was particularly easy, imo. my root payload was 6 lines long and less than 30 characters total. don’t overthink it. there are way easier ways to satisfy what you need than editing anything you find on the box, so don’t drown yourself in that if it isn’t clicking.

Thanks for the accurate difficulty, btw! Many HTB difficulty ratings are WAY off, but this was pretty spot-on. User wasn’t hard, root took some documentation reading and a bit of hands-on work - that’s about where a medium should be, in my opinion :slight_smile:

Got the root but by taking an advance of a w**** file somebody else had left lying around since I thought it was just one of the examples. Apparently it wasn’t since I was a bit bothered and came back later to test if my theory was right only to find myself being wrong. Now I’m struggling to find a proper way for root. I shouldn’t have to compile my own binary, should I?

edit. found the correct way by doing a little research.

Type your comment> @riceman said:

Administrator:
Root is really simple once you figure the quickest way to write what you need. You have a LOT of choices, so it’s really whatever you’re comfortable with, but one was particularly easy, imo. my root payload was 6 lines long and less than 30 characters total. don’t overthink it. there are way easier ways to satisfy what you need than editing anything you find on the box, so don’t drown yourself in that if it isn’t clicking.

@riceman do you mind if I PM you? I’d like to take a look at these 6 lines long payload you had. I believe I tried that route for quite a few hours without much success. I am curious for what I was missing.

Side note: I then decided to try the edition approach and it took me about 10 minutes to get to root. (Starting from a google search for the correct format, to editing the file, to getting the flag).

Finally Rooted .Root took a while but good box overall.

@damnc said:

@riceman do you mind if I PM you? I’d like to take a look at these 6 lines long payload you had. I believe I tried that route for quite a few hours without much success. I am curious for what I was missing.

Sure, if you’ve already solved then shoot me a message.

uid=0(root) gid=0(root) groups=0(root)
root@ophiuchi:~#

Good box ! I liked a lot.

Rooted! Had a little hard time on the initial foothold, but learnt something new! Great box! thx!

Rooted, quite an easy box actually!

Foothold: check the request and play with it
User: old vulnerability, search for it
Root: Never played with go, but i think its doable with a bit of research. When exploiting binaries what is the most useful thing?! (i think it is the source code :stuck_out_tongue: )

Pm me if needed (but at least have concrete questions)!

Wow. That was a fun box for sure. Foothold took me longer than it should have, but I got there.
Root was a learning experience.
Thank you!

Just rooted this box… although, it’d be more accurate to say, “I got the flag”…

I couldn’t get my version of the “attack script” to pop a reverse shell; I knew my script was being executed, because I got it to run id and saw the expected result. Try as I might, though, I couldn’t get my reverse shells to work. In the end, I just catted what I needed. Like I say, I got the flag, but don’t really feel that I “got root”, if that makes sense…

If anyone here did manage to get a rev shell to work (or get in as root), would you mind sharing how, via PM, please?

If anyone here did manage to get a rev shell to work (or get in as root), would you mind sharing how, via PM, please?

I gotchu!

Type your comment> @riceman said:

I gotchu!

Thanks, @riceman for showing me how to get “true” root, not just the flag!

first box i managed to do without any hints. very straightforward , just needed some googlefu to figure everything out. enjoyed it a lot , thanks for the box!

finally rooted, what a ride to root, completely new territory for me, took me a while to understand how to feed the export method exactly.

if anyone need help, just pm me.