Official Ophiuchi Discussion

I wonder if it’s possible that this machine has stuck (even after few “machine resets”) in the state that sudo command which I’m trying is shouting “cannot find package”. Looks like missing github repo on machine. It was working yesterday and stopped and now I cannot move further.

Any suggestions appreciated.

Hey! Huh I’m still pretty new at this, only have done a couple of boxes, but I got a problem while trying to get user, cant understand how to create this yaml payload <.<

Type your comment> @crazyratpl said:

I wonder if it’s possible that this machine has stuck (even after few “machine resets”) in the state that sudo command which I’m trying is shouting “cannot find package”. Looks like missing github repo on machine. It was working yesterday and stopped and now I cannot move further.

Any suggestions appreciated.

got root - case closed :blush:

just got rooted! Foothold was taugh for me, but the others were easy… if you are stuck, feel free to DM me.

I’m always happy to help, if someone needs a nudge!

Root was fun, but annoying at the same time… I think I got it working after 15 minutes but I simply did not realize it… then tried setting up my “own” thing, spend another 2 hours trying to figure out what I did wrong, just to realize it already worked with the stuff given and my modifications -.-

Type your comment> @pizzapower said:

I can get a connection back to my box, but something isn’t working correctly for me. lol

edit: got a foothold, but looks like I was beaten to it

I can’t spoil, but the y***-*****ad doesn’t give me back a shell… I reviewed my code even with a friend who rooted it…

I have the exploit and everything works fine but the only that doesn’t happen is a reverse shell. I checked multiple times and tried different ways to get the shell but I can’t get it.
Could anyone PM so I can verify my approach

This box is awesome. However, I spent a lot of time trying to get the right scripts to work as needed for user and for root.

I will just repeat the same thing that I found here in the forum for the root part. The location is very important. If someone is stuck I will be glad to indicate the right direction without spoilers.

Pepe

Hmmmm, I think I have done it the unintended way!

I haven’t read the comments yet, but I believe going directly from t***** to r*** isn’t the intended way.

uid=1001(t*****) gid=1001(t*****) euid=0(root) egid=0(root) groups=0(root),1001(t*****)

I think I will have to re-do it the intended way upon confirmation :expressionless:

EDIT: I think the box is broken, otherwise I doubt all those people who solved it didn’t mention the unintended one-liner root!

Rooted!

Plenty of hints on this page, but feel free to PM me if you’re really stuck!

hey
i try to get revers shell with bash script in one time i get the shell after with the same script code its not get me shell someone know what happened and how can i restore the shell?

Type your comment> @pizzapower said:

I can get a connection back to my box, but something isn’t working correctly for me. lol

edit: got a foothold, but looks like I was beaten to it

Try other kind of rev shell. Maybe the same language of the vuln app?? :wink:

Type your comment> @pizzapower said:

I can get a connection back to my box, but something isn’t working correctly for me. lol

edit: got a foothold, but looks like I was beaten to it

try use a different rev shell. maybe the same language of the vulnerable app? :wink:

Rooted!

Guys, considering the vuln to reach the user, could someone here give some link with examples of use of this kind of feature?
Is possible identify this vuln in the real world without the clue that we can see written?
In what kind of functionality that feature is usually used?

If you know, send me in DM please.

I can only assume the machine isn’t playing fair for some reason… I’m getting a connection back to my web server but the code isn’t executing like I expected… quadruple checked IP’s and ports, maybe im using the wrong java rev shell?? I thought we all got our rev shells from the same github page???

Welp, I scored User in about 6 hrs LOL, took a hot minute. I learned a TON so it was well worth the time. Regardless, off to attempt ROOT! Thanks to everyone for your active nature on this forum, it helped a lot!

  • W4r

Spent an afternoon+evening but finally got root!

root@ophiuchi:~# id
uid=0(root) gid=0(root) groups=0(root)

learned alot about W*** , never could get a reverse shell to work for root. Had to find another way.

hey someone can help me understand about deploy.sh how to create and where i try look on the internet but without luck

Fun box, I had some trouble with getting reverse shell connections back too, but decided to simplify my payload to a simple test of pinging back to my server (with curl), and after I got that working turned it into a command to download a remote shell script and execute it. After you get something like that working it’s easy to try things one at a time and figure out exactly what you need to do since you don’t have any limitations on execution anymore and can use other requests to exfil information back out for debugging

After that root was fairly straightforward for me because I happened to not even check what other files were on the system and just defaulted to creating my own payload, maybe all my years of software eng made me notice the issue without even thinking lol

It was nice to have to learn a bit about the technology to get a working exploit though

root@ophiuchi:~# date
Tue 29 Jun 2021 10:42:35 PM UTC
root@ophiuchi:~# id
uid=0(root) gid=0(root) groups=0(root)

Type your comment> @constR said:

Fun box, I had some trouble with getting reverse shell connections back too, but decided to simplify my payload to a simple test of pinging back to my server (with curl), and after I got that working turned it into a command to download a remote shell script and execute it. After you get something like that working it’s easy to try things one at a time and figure out exactly what you need to do since you don’t have any limitations on execution anymore and can use other requests to exfil information back out for debugging

This is what I’m struggling with right now. I understand the foothold but just can’t figure out what I’m doing wrong with my payload.