Official Ready Discussion

Can anyone that has completed this box message me please? I got user a few days ago, but forgot to save my notes before shutting down my VM. Now, I can’t seem to reproduce the steps I used before. None of my PoCs work for getting a user shell.

This was a fun box. I’m open for nudges if needed.

Rooted this morning. Was pretty easy compared to the Laboratory machine.
Only spent ages trying to get the first root because the names in the files don’t seem to mean anything. Like, I would’ve expected the ini****_****_******** to have lead to it and not the s***. I guess I have to keep in mind that password reuse is a thing and people put their secrets in weird places.

Like others have said, after that the second root is a common one. Had to do a few times though because it didn’t work the first time.

Overall, nice room but, I wouldn’t really rate as a medium (unless you count the variable naming).

I’m studying hacking for pentesting about 3 months ago and spent time to discover Kali and tools. Now I’m entering this wonderful world of hacking :smiley: . I’m pretty a noob in the area. Well, I would thank the author of this box. It’s the first I managed to resolve (almost) without cheating. All I can say is there is many complicated rabbit holes that I was not able to force like SSH. Getting user is easy as it’s just searching on web. Root is also easy just thinking we are in a jail and not in the real system. I learned very much with this box :

  • how to get a decent SHELL
  • using linux tools to explore contents
  • parameters of config files and its purpose
  • connecting with SSH … well really :blush:

Thank you everyone!

Rooted!
Actually, I found the creds by pure luck but I can’t find it anymore unfortunately :frowning:
I really wanted to know what are the enumeration steps that leads to find the creds without any nudges…

Rooted, this was quite a simple box to be honest, maybe because recently I did an easy box using same approach

Foothold: Enumerate what you’ve found, and understand versioning. Search for vulnerabilites. There are several tools in the Web, personally I’ve used the very same of an easy box done recently that allowed reverse shell (that needed to be improved) as user g**
User (?): Using classical enumeration tool found interesting credentials that at first glance didn’t appear to be useful, but experience of recents boxes suggested to investigate further and actually I could use them (password reuse is a bad habit). Managed to grab user hash (even though I was not that user, that was odd). At this point I was a little confused as I thought that I reached the goal, but I realized that I needed to try harder.
Root: With some google-fu managed to free my self and obtain what I needed. Decided anyway to do a step further and complete escalation process.

Thanks for the box!

where is the root flag? I can’t find it in the usual place?

Type your comment> @iamshaleen said:

where is the root flag? I can’t find it in the usual place?

Are you sure you really are root?

Just finished the machine… if needed i can help

Type your comment> @alemusix said:

Type your comment> @iamshaleen said:

where is the root flag? I can’t find it in the usual place?

Are you sure you really are root?

I checked the id and its root

@iamshaleen said:

Type your comment> @alemusix said:

Type your comment> @iamshaleen said:

where is the root flag? I can’t find it in the usual place?

Are you sure you really are root?

I checked the id and its root

Have you escaped? If not, you are root in the wrong place.

finally rooted. Big thanks for @TazWake for the help and @likelytarget for the useful hint! :slight_smile:
PM if need guidance.

Rooted. I assume it’s rated medium because of the amount of rabbit holes (especially creds, though maybe there’s more than 1 way in).
PM for hints!

Fun box, but not sure if it should be rated medium. Easy, but still fun to do.

Rooted! I spent far too long trying to escape. Should of tried that first!

ROOTED.!!! Dm is open for nudges

I got user flag and currently stuck as g** user. Trying to find a way to privesc but having issues seeing the path. Nudges? DMs are open if you are worried if it will be to much of a spoiler

EDIT: Never mind, i rooted it and got the flag. This box was interesting and taught me something new!

root@ready:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ready:~# 

Rooted! :slight_smile:

Overall a really frustrating box because I hit rabbit holes hard. Finally rooting after the “middle” hop took less than 5 minutes. 5-6 hours of wasted enumeration hurts… but oh well I guess you live and you learn.

Feel free to DM for nudges.

Thank you that helps.

@digusil said:

Type your comment> @menessim said:

@Cyberzombi3 said:
Hey Guys, could I ask for a nudge oon upgrading the initial shell, having real troubles with it, i’m starting to think that its due to me using ZSH in Kali2020.4 as when backgrounding a task and foregrounding it everything seems to go to s***

the usual upgrading of a reverse shell doesnt work with zsh.
The easiest fix is to just start your nc listener from bash not zsh.

Accidentally, I found a quite simple solution:

script -c "/bin/bash -i" /dev/null

Is that OK? I already have root privileges. But there is not any root flag in the root home. Reset did not help. Command find / -name ‘root.txt’ did not found the flag.