Just rooted.
Thanks @evyatar9 for pointing me in right path.
Hint for root: think about ssh access.
Can PM me if stack.
This is an awesome box. Thank you @rotarydrone !!
The initial foothold drove me mad but anything after this is crafted very nice.
Can PM me if you need a nudge.
I need help for the initial foothold. I have found the el and can gen a t*n but can’t find how to pop a shell from that.
I have also assumed that if I can get the db creds then they might be reused for s*h
EDIT: in jail
Hello,
Find the el function in the code, pretty sure there is the vulnerability, found that token in curl request, but simply I can’t put them together to move forward to code exec.
Understood how el function is vulnerable, but every time I pass any POST requests I got invalid or nonexistent token.
Any help would be appreciated, maybe some link with something similar :-?
Many thanks!
EDIT: Got a shell, but not on the craft machine. I guess, I am in jail.
Rooted!!
Very nice machine @rotarydrone. Thanks for the awesome box.
For user, everything is there. Just get the credentials and exploit the vulnerable code. After that, it’s all enumeration.
Root is straightforward. Once you find the service, then just read the documentation.
This box was simply brilliant. The initial foothold, for me, was an utter pain, but perseverance prevailed. As with nearly everything, it wasn’t half as complex as I was leading myself to believe and its all about seeing the right thing. Enumeration is key key key. The information is there, keep digging and you’ll eventually find everything you need.
I did root this in a shockingly quick amount of time (for me) but still… a tonne of fun. Feel free to poke me for hints.
Edit: Also meant to chuck thanks to @rotarydrone for the creation of this.
Finally rooted!
Spent a good amount of time down a hole trying to crack the j*t - finding the vuln was fast but my god crafting was slow! Thanks @frazvan and @Angel235
Root was fun and all in the docs.
Fun box!
Spoiler Removed
Despite I got the foothold on the machine (limited shell), I couldn’t to get the user shell. Any small hints would be helpful.
Rooted!
Getting user is so much fun and a bit hard for root. Reading document is the way. Feel free to PM me if you need.
I`m an idiot. Tried to use 0.0.0.0 at last step… Then switched to 127… and it worked like a charm.
Type your comment> @abuyv said:
Despite I got the foothold on the machine (limited shell), I couldn’t to get the user shell. Any small hints would be helpful.
Note the tools used for the app. Some tool(s) is/are very good for enumerating purposes and tweaking some files may help you with that (not a good idea to do it in jail tho 
). PM me if you need more help. Best of luck!
Finally got root!
Quick tip: don’t over-think it, everything you need is right there in front of you. Read the code!
Thanks to @lolxD for the help!
Rooted!
Really nice box, I very much enjoyed it!
For user, as The voice once said: the jailer is the key 
Can anyone nudge me in the direction of the correct escaping/syntax on the RCE? I’m pretty sure I know the payloads(s) I can use, to verify command execution and a shell, but I don’t get anything back and only see the 500 error.
root@craft:~#
Wow, what a ride!
Don’t have enough words to describe this masterpiece! Well designed environment with actual cloud technologies and real life scenario with nudges left behind by the “developers”.
Thank you @rotarydrone !
It’s my 2nd favourite box !
Quick tips:
- Read the source code (leakage).
- Use python3 (requests) to automate 2 things. Strange responses ? Take into account the boolean logic
- Inside: enumerate with python3 (8 lines of code).
- Use the data from 3. Don’t overthink!
- Grab user.txt
- Enumerate, use the documentation, login as root, grab root.txt !
I Finally rooted it!
That was such a cool, realistic and interesting box.
The hints are all here in the forum already, but feel free to PM for nudges!