Official Ophiuchi Discussion

Initial:
Getting RCE is easy if you enumerate and investigate like with any box. It’s pretty obvious and there are a lot of resources available to get you up to speed.

User:
haven’t seen it mentioned here, but those that are after a reverse shell don’t need one - you can go straight to user from RCE. The application’s thread process behavior isn’t super conducive to grabbing reverse shells. I didn’t want to mess with it and I recommend you don’t either, so poke around.

Administrator:
Root is really simple once you figure the quickest way to write what you need. You have a LOT of choices, so it’s really whatever you’re comfortable with, but one was particularly easy, imo. my root payload was 6 lines long and less than 30 characters total. don’t overthink it. there are way easier ways to satisfy what you need than editing anything you find on the box, so don’t drown yourself in that if it isn’t clicking.

Thanks for the accurate difficulty, btw! Many HTB difficulty ratings are WAY off, but this was pretty spot-on. User wasn’t hard, root took some documentation reading and a bit of hands-on work - that’s about where a medium should be, in my opinion :slight_smile:

Got the root but by taking an advance of a w**** file somebody else had left lying around since I thought it was just one of the examples. Apparently it wasn’t since I was a bit bothered and came back later to test if my theory was right only to find myself being wrong. Now I’m struggling to find a proper way for root. I shouldn’t have to compile my own binary, should I?

edit. found the correct way by doing a little research.

Type your comment> @riceman said:

Administrator:
Root is really simple once you figure the quickest way to write what you need. You have a LOT of choices, so it’s really whatever you’re comfortable with, but one was particularly easy, imo. my root payload was 6 lines long and less than 30 characters total. don’t overthink it. there are way easier ways to satisfy what you need than editing anything you find on the box, so don’t drown yourself in that if it isn’t clicking.

@riceman do you mind if I PM you? I’d like to take a look at these 6 lines long payload you had. I believe I tried that route for quite a few hours without much success. I am curious for what I was missing.

Side note: I then decided to try the edition approach and it took me about 10 minutes to get to root. (Starting from a google search for the correct format, to editing the file, to getting the flag).

Finally Rooted .Root took a while but good box overall.

@damnc said:

@riceman do you mind if I PM you? I’d like to take a look at these 6 lines long payload you had. I believe I tried that route for quite a few hours without much success. I am curious for what I was missing.

Sure, if you’ve already solved then shoot me a message.

uid=0(root) gid=0(root) groups=0(root)
root@ophiuchi:~#

Good box ! I liked a lot.

Rooted! Had a little hard time on the initial foothold, but learnt something new! Great box! thx!

Rooted, quite an easy box actually!

Foothold: check the request and play with it
User: old vulnerability, search for it
Root: Never played with go, but i think its doable with a bit of research. When exploiting binaries what is the most useful thing?! (i think it is the source code :stuck_out_tongue: )

Pm me if needed (but at least have concrete questions)!

Wow. That was a fun box for sure. Foothold took me longer than it should have, but I got there.
Root was a learning experience.
Thank you!

Just rooted this box… although, it’d be more accurate to say, “I got the flag”…

I couldn’t get my version of the “attack script” to pop a reverse shell; I knew my script was being executed, because I got it to run id and saw the expected result. Try as I might, though, I couldn’t get my reverse shells to work. In the end, I just catted what I needed. Like I say, I got the flag, but don’t really feel that I “got root”, if that makes sense…

If anyone here did manage to get a rev shell to work (or get in as root), would you mind sharing how, via PM, please?

If anyone here did manage to get a rev shell to work (or get in as root), would you mind sharing how, via PM, please?

I gotchu!

Type your comment> @riceman said:

I gotchu!

Thanks, @riceman for showing me how to get “true” root, not just the flag!

first box i managed to do without any hints. very straightforward , just needed some googlefu to figure everything out. enjoyed it a lot , thanks for the box!

finally rooted, what a ride to root, completely new territory for me, took me a while to understand how to feed the export method exactly.

if anyone need help, just pm me.

Enjoyed this box. Tip for foothold - if youre getting a 5** error READ THE WHOLE ERROR DUMP. Not just the titles. I wasted more than an hour making that mistake

Thanks @felamos, I had a great time :slight_smile:
What was particularly satisfying was how easy it was to get the foothold because the last time I had to deal with that kind of vuln, I struggled a lot to get it working. It feels good to see some progress on my end !
If anyone successfully managed to get his or her own crafted file working for the last part, I’d be happy to know. I tried several things but kept hitting segfaults.

For root part, i understood what needs to be done but was in the wrong place. i got the root flag after going to the right place. But can some give me more understanding about why the place mattered here. i didn’t get that part very well. send me a explanation in Pm. Thanks @felamos for this box, learnt a lot on this one.

Nice box, foothold and user is easy. Root trick was new to me but didn’t take much after bit of google fu. Thanks for nice box.

regarding foothold. Lots of people are talking on it’s simplicity but I had trouble getting shell to work. Specifically issues with my Simp******erver not working for whatever reason(maybe needed dif port? not sure) Anyway another python library program and that helped A LOT…
second, people talk a lot about the 500 error and reading the error messages, but for me that didn’t really help. maybe I’m to thick for I couldn’t figure out why something didn’t link? All files were called 200 so giving up I ended up using a different resource than the one giving the 500. that helped.
to root. i go