Hi, i managed to manipulate the request and i can make the machine download my files, but every reverse shell i try i donāt get the connection, can you give me any nudge?
i managed to get a simple nc without commands and without the ā-eā
From what I can tell so far the YAML parser is at least meant to work. Anyone else getting a blank page with āDue to security reason this feature has been temporarily on hold. We will soon fix the issue!ā everytime they post something to the Yaml servlet?
From what I can tell so far the YAML parser is at least meant to work. Anyone else getting a blank page with āDue to security reason this feature has been temporarily on hold. We will soon fix the issue!ā everytime they post something to the Yaml servlet?
Yep
the same here
It worked the last time I tried to get a reverse connection
Hello everyone (finally back on track!)
This machine was really interesting.
Learnt something new.
Everything has already been said.
For foothold, when you think is not working, think also that there is always a workaround.
Cheers!
Impossible to get that yaml thing functionning :neutral:. Tried to execute system commands but itās not the right way. You need to run a web server on your host to serve files to attacked url.
For rooting, I just was enable to use webassembly tools. I found a web online tool that do the same. I thought deploy.sh deploy a war to tomcat server but itās simpler thant that. Just execute commands with root account.
Well, that was impossible for me without tutos but I really tried to go ahead. I learned things undoubtly.
I would say the rating is accurate. I had issues with both foothold and root, but only because Iām stupid. foothold i could have gotten quicker if my syntax had been correct first time. root i could have saved myself two days had I looked at something correctly. I pretty much knew exactly how to get to root once i looked the box over and read everything around me. I even did the steps that would get me to root, but then just missed ONE thingā¦
fun box, Iāve been away working on retired windows boxes. Root threw me for a loop. Do your standard enumeration. Thereās a way of doing that redirection. GO do some reading. After that, if you make your own then just worry about Compiler errors. Runtime errors wonāt block you as long as you donāt Byte off more than you can chew.
Rooted. Thanks @felamos. Learned something about w**m
@allTsar said:
From what I can tell so far the YAML parser is at least meant to work. Anyone else getting a blank page with āDue to security reason this feature has been temporarily on hold. We will soon fix the issue!ā everytime they post something to the Yaml servlet?
Getting this message is normal when you send something that doesnāt do whatās needed - except for when you send garbage and you get the trace that other people mentioned.
For root: getting an error when running the w**m-related command can also be normal and doesnāt necessarily mean some other user bricked the machine, just read through what you have.
Friendly reminder to clean up your room before leaving the box.
Finally rooted. Thanks to @felamos for this awesome box.
Initial foothold was pretty tough for me,learned a lot. User and root part is pretty straight forward.
If anybody need any hints can PM me.
about user:
If you are getting error 500,
please just read st******e, i mean, read every single line of it, until you see it
took like two hours for me ><
about root:
straightforward, just see what that strange file does, modify it and tadaa.
Got user.txt as the a****, and have a pretty clear idea of privesc, but am getting a weird error on a certain package. Not really familiar with the technology but I think I know what to do with d*****.sh.
Can anyone give a hint, please? I can run RCE, but cannot get reverse shell. The server can connect to me, using curl, but I do not get rev.shell . I also do not now Java,
rooted. some places, felt weird. like the keys was not getting writtenā¦ maybe temporary box issue, so i just echoed out the juice lol. Any help dm as usualā¦
Just rooted this boxā¦ although, itād be more accurate to say, āI got the flagāā¦
I couldnāt get my version of the āattack scriptā to pop a reverse shell; I knew my script was being executed, because I got it to run id and saw the expected result. Try as I might, though, I couldnāt get my reverse shells to work. In the end, I just catted what I needed. Like I say, I got the flag, but donāt really feel that I āgot rootā, if that makes senseā¦
If anyone here did manage to get a rev shell to work (or get in as root), would you mind sharing how, via PM, please?
Iām stuck on root.
I think I need to edit the .w*** file to return 1 on the i function? But i dont have write permissions to that fileā¦ What am I missing?
edit: nevermindā¦
root@ophiuchi:/tmp# id && hostname
id && hostname
uid=0(root) gid=0(root) groups=0(root)
ophiuchi
I wonder if itās possible that this machine has stuck (even after few āmachine resetsā) in the state that sudo command which Iām trying is shouting ācannot find packageā. Looks like missing github repo on machine. It was working yesterday and stopped and now I cannot move further.