Celestial hint

Just got root on this one. I know I had tried what finally worked last week but it never gave me a shell. Worked first time I tried tonight. Getting the initial shell was much more interesting than getting root. Just a matter of patience in the end.

As @3ndG4me says, the vulnerability is very similar to the one mentioned in the article but is not the same.
Try feeding it different data types and see what happens. Once you understand what the code is doing, is really easy to make the exploit work.

Nvm. I was focused too much on getting a root shell than actually get root.txt

Any particular reason my code would work one day and not now? I see others have had trouble with this and eventually got this, but I’ve tried at least once a day the past few days with the same exact code.

Nevermind. Backspace is the death of me.

Machine get’s down 50% of the time and this is really annoying(
I think that I totally lost on privesc, could someone DM me please?

@STingER said:
Machine get’s down 50% of the time and this is really annoying(
I think that I totally lost on privesc, could someone DM me please?

YESSSSSSS!!! who’s crashing it plz stop doing so

the exploits that you have to use for user is interesting. but priv esc is not implemented well at all, Spoiler Removed - Arrexel .Also, lets not forget that the machine crashes for 20 min every 10 min ANDDDD when the machine crashes which means every 10 min, you have to re-exploit the user. pretty bad implementation. at least give ssh. ( DONT REPLY WITH GET VIP MEMBERSHIP cuz other free boxes are smoothly implemented with much harder exploitation) PEACE

@xtech said:
the exploits that you have to use for user is interesting. but priv esc is not implemented well at all, you edit the file and you have to wait. once the time is already there, some other idiot edits the file with wrong input, then you have to get into an editing war with other people.Also, lets not forget that the machine crashes for 20 min every 10 min ANDDDD when the machine crashes which means every 10 min, you have to re-exploit the user. pretty bad implementation. at least give ssh. ( DONT REPLY WITH GET VIP MEMBERSHIP cuz other free boxes are smoothly implemented with much harder exploitation) PEACE

Waiting 5 minutes wouldn’t be so bad if the box could stay up for more than 5 minutes at a time…

There are some reverse shells for this platform that should not crash the server - according to a comment in the code. As far as I can tell from my tests this is not true (unless every time I tested with such shells somebody crashed the server with their hack).

Otherwise, it’s a really interesting box. I also agree with @3ndG4me that you don’t need THAT ARTICLE. Seems I did not find it initially, but used only more generally advice on vulnerabilities in code in this language - which evil function not to use as a developer :wink: I learned a lot from building up my own exploit code, testing snippets in the browser console locally etc. You can trigger different server-side messages, and one will confirm that you are on the right track as it mentions the evil function :wink:

I also tried different variations for the reverse shell code in that language - seems with some shells you get you an initial connect but then they aren’t stable … which can be hard to troubleshoot because of the frequents resets. I finally found THAT ARTICLE but only used the part of another linked article that creates the reverse shell - seems that shell was more stable than others. I would be interested in discussing details over PM - which reverse shell code you used and what detail of the code really makes the shell stable … I think it is related to handling errors and disconnects …

Got root but I think that I missed few things. Can somebody DM me to discuss please?

Hi Could someone PM me how to advance (trying to get user access), I can’t find “the article” everyone is referring to. Thanks!

@BobBobbington said:
Hi Could someone PM me how to advance (trying to get user access), I can’t find “the article” everyone is referring to. Thanks!

I pm you

@s2233 said:
Waiting 5 minutes wouldn’t be so bad if the box could stay up for more than 5 minutes at a time…

yeah wait 5 min but how about someone changes your script to a reverse shell in these minutes, deleting your script and crashing the server :-1:

As I’d been asked per PM - I rooted it, but I would be interested in discussing details of others’ reverse shell code over PM. I wrote my own script for piecing together the exploit, and I tested snippets of code for creating a reverse shell. I’d like to understand why and if some shells are more stable than others - even if they all use the same core code that actually makes the connection …

Should possibly correct that spoilery wording…

@kekra said:
As I’d been asked per PM - I rooted it, but I would be interested in discussing details of others’ reverse shell code over PM.

I am really most interested in learning what features would generally make a reverse shell stable (in whatever programming language) in an unreliable environment such as this box is … Scrolling back in this thread shows that others also said the same code was working for them at one day, and then the other day not.

What I should also add: I become VIP member yesterday, so when I finally rooted it - using a seemingly good version of the code - I was working on a more stable machine.

yntaxError: Unexpected token

   at Object.parse (native)
   at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js:62:16)
   at /home/sun/server.

when ever i try to get the reverse shell i get this why is it so can someone please tell me

Just pwned this - If anybody needs some hints DM me

;-; whyz you needz hintz

when ever i am running the exploit i am getting
An error occurred…invalid username type

why is it so can you help me

nvm got it