Official Armageddon Discussion

id

uid=0(root) gid=0(root) groups=0(root)

:slight_smile:

Overall, kinda a “meh” box in my opinion and closer to a medium, especially given the limitations in getting the initial foothold (if you got a revshell you’ll understand what I mean).

User

Enumerate what is running + do some googling and you shouldn’t have any trouble with RCE. Persistance may be troublesome, but try to “flow in” in areas of least resistance. Getting user.txt will take some additional enumeration/exploitation.

Root

This is what took me the most time, and ended up being the most annoying. From ~5 minutes after user it’ll be clear what the vector is, but accurately weaponizing it is tedious and annoying. Easy to overthink, but once you know what you’re doing don’t overdo it. Google is also your friend here.

Feel free to PM if you need a nudge.

Just Finished the Box. Send a message if you nedd hints! :slight_smile:

I’m stuck at a****e user, tried all my best with getting the db and I just couldn’t get it, kindly if anyone can DM me for a solution…

EDIT: Never mind, I found the solution.

Now i know how to build s*** pkg

I’m working on root now.
I know what Ubuntu specific tool i need to use, but i got 401 error.
Any hint?

EDIT: I’m root. I didn’t need to use this whole dirty thing.

finished the machine, If anyone need help, just pm me.

Got user. The very last step should be fast once you know what you’re working with and can configure your tool (a few seconds). If you’re having issues working with m*s** on the box, pack everything in a suitcase and take it outside.

…Got root. After getting user, simply check what “bigguy” things you can do with that user.

Beyond that point it went fast but I have to go back to understand s*** out of curiosity. For the exploit itself, there’s a certain popular source for…breaking out of stuff…that covers all the steps, though I had to change the payload slightly.

Feel free to PM for hints.

Sometimes my curse of overthinking kills me. Got the root flag

I’m in as b*****eaan, have done some basic enum to see that there’s a n exploit with the v2 already in the home dir. Running the v2 exploit fails for me with a 401 error. Looking on Google it and reading on here you can craft your own… I tried this in Kali but it failed and people have said to use a different environment… I really don’t want to install a new VM just for one machine…

Anybody that’s not installed a new VM for this box able to help/DM?

thanks!

Type your comment> @rancilio said:

I’m in as b*****eaan, have done some basic enum to see that there’s a n exploit with the v2 already in the home dir.

Eeeeh, unless I was blind when I did the box, I assume someone left his tools on the box and that folder shouldn’t be there. In any case, I think you can build the necessary package on many distros, including kali.

currently on as the a***** and found the ml directory but stuck on how to get into it. I found the b*********** but not sure where else to look. nudges?

I got user flag. Working on this s*** and s**** thing and slowly going crazy

rooted, it is an easy box.

Type your comment> @devilray said:

currently on as the a***** and found the ml directory but stuck on how to get into it. I found the b*********** but not sure where else to look. nudges?

everything you need is where you landed.
just look at the file’s.
find the creds for your next step.

no need to go outside www, i did and found some things but they where also in the www.

Type your comment> @djbrains said:

Type your comment> @devilray said:

currently on as the a***** and found the ml directory but stuck on how to get into it. I found the b*********** but not sure where else to look. nudges?

everything you need is where you landed.
just look at the file’s.
find the creds for your next step.

no need to go outside www, i did and found some things but they where also in the www.

I was able to find what I needed and got user flag. Thank you!

Can anyone help with root flag? Dirty-Socks not helping…

Type your comment> @secure77 said:

finished the machine, If anyone need help, just pm me.

@secure77 , I tried to message you on HTB, but it’s saying invalid user…dumb system. I was going to ask which package creator you used. I tried FPM, like it says on GTFOBins, but I just keep getting errors.

Someone suggested to me, packing up the file on Ubuntu, so I’m going to try that. Said he spent forever tryin to get it to work on Parrot and Kali, but only worked on Ubuntu.

Rooted

Incredibly dissatisfying as my google search yielded some forum that discussed spoilers :frowning: Even after completing this box, it feels like I cheated…

Anyway, it was not too hard but not too easy either.

Foothold: CVE… I thought it was too good to be true so I spent some time looking for something else. After realizing it was the CVE, it was easy. Obtained the shell manually but it was incredibly cumbersome to use so moved on to mc****. Easy

User: Found what I needed but couldn’t connect to the service. This is where I found the forum. Anyhow, I found what I was missing. ‘Buffered’ vs ‘Unbuffered’ was something I was not familiar with. Once understood, it was very straightforward

Root: Basic enum provided what I needed. Had to modify to create my own payload. Afterward, very straightforward.

PM me for nudge.

Type your comment> @6062055 said:

Type your comment> @secure77 said:

finished the machine, If anyone need help, just pm me.

@secure77 , I tried to message you on HTB, but it’s saying invalid user…dumb system. I was going to ask which package creator you used. I tried FPM, like it says on GTFOBins, but I just keep getting errors.

the first field of the message form is for receipts i think you have tried to enter there
some “subject” :wink:

anyway i sent you a message

Just got root. Big shout out to @x00future for the help.

Foothold: CVE for this, search a popular tool when you know the service running.
User: I had to force my way in…
Root: basic enumeration to find out what you can do…create the right environment to craft your OWN payload (it took me forever as I tried to use a default one for this priv esc method).

DM if you need help.