Lightweight

0xEA31 · December 15, 2018, 4:28pm

@3mrgnc3 said:
To get a root shell I learned a new thing on this box.
Was fun.
Thanks @0xEA31

You are welcome!

TH3VeNoM · December 15, 2018, 5:37pm

im on 127.****** shell in here. so wht should i do next. plz

TH3VeNoM · December 15, 2018, 5:56pm

cn sm pm me. need help guyzzzzzzzzzzzzzzzzzzzzz

epsequiel · December 15, 2018, 6:24pm

@korrey said:

@lnx said:

@Phrenesis2k said:

@IteXss said:
hi mates, i have been trying to capture the intended packets for a while, but nothing seems to be working!!! can someone who already did it, give it a try to check if it is working?

Output it to a file and read it with another packet reading program on your local machine.

xxd is quicker

Even strings can do the job!

Or you can use ‘-A’ option to display results in ascii format.

Sh11td0wn · December 15, 2018, 7:23pm

Hi guys.

root shell owned! I really learned new things on this machine. PM me if need hints

Skunkfoot · December 15, 2018, 8:24pm

@Baikuya said:

@Skunkfoot
It helps if you’ve completed Frolic.

Dont you mean Waldo?

No, I meant Frolic, but completing Waldo will help too for a different part, so that’s a good point.

@librab103 said:

@Skunkfoot said:
This one was quite confusing for me, couldn’t have done it without the hints that I got. The flow just didn’t really seem to make sense to me. I’m gonna go back tomorrow and redo it starting from the beginning to see if it makes more sense now.

A couple issues I ran into:

You may need to visit a couple of the webpages a couple times in your local browser to generate that which you seek for access to a certain user.

If you’re having trouble cracking anything, try reinstalling your tool or looking for alternatives.

Always start with a small wordlist, don’t jump straight to rockyou if you can avoid it. Sometimes the string you’re looking for is simple.

For root specifically (at least the flag, I haven’t gotten the shell yet, one of my goals for tomorrow), when you’re looking at what you’re able to do, one of these things is not like the other. What can you do with that thing? It helps if you’ve completed Frolic.

Are you using Burp or your browser’s inspect option to view the data going between host and remote?

No, or I don’t understand the question. You don’t need to inspect any captured data between you and the remote host, if that’s what you’re asking.

binkshurts · December 15, 2018, 11:22pm

stuck on user priv esc… i’m in via ssh but can’t seem to find traction within, any nudges?

spoppi · December 16, 2018, 9:08am

Finally rooted, thx to @avetamine and @IteXss for heads up.
Also getting root shell is a nice challenge.
Still missing some understanding about how this o****** is capable to do it. Would be nice if someone could PM me to discuss if my assumption is correct.

avetamine · December 16, 2018, 10:48am

They deleted my post because probably was considered a spoiler, anyone having questions can PM me

prokaryont · December 16, 2018, 1:13pm

@Uvemode said:
Got root and all, but I’m curious, how exactly?
‘It’ was blank, therefore shouldn’t be able to do anything special. I checked and blank means nothing, even with those ending flags. except that previous ‘it’ were removed. Surely I missed something.
@avetamine
There is a c function that translates a textual representation of what you can do into a binary one. In the man page there is also a section about what it means when ‘it’ is blank.

Baikuya · December 16, 2018, 4:34pm

@Skunkfoot said:
@Baikuya said:

@Skunkfoot
It helps if you’ve completed Frolic.

 Dont you mean Waldo?

No, I meant Frolic, but completing Waldo will help too for a different part, so that’s a good point.

 @librab103 said:

       @Skunkfoot said:
 This one was quite confusing for me, couldn't have done it without the hints that I got. The flow just didn't really seem to make sense to me. I'm gonna go back tomorrow and redo it starting from the beginning to see if it makes more sense now.

      A couple issues I ran into:

      
 * You may need to visit a couple of the webpages a couple times in your local browser to generate that which you seek for access to a certain user.


 * If you're having trouble cracking anything, try reinstalling your tool or looking for alternatives.


 * Always start with a small wordlist, don't jump straight to rockyou if you can avoid it. Sometimes the string you're looking for is simple.


 * For root specifically (at least the flag, I haven't gotten the shell yet, one of my goals for tomorrow), when you're looking at what you're able to do, one of these things is not like the other. What can you do with that thing? It helps if you've completed Frolic.


 




  Are you using Burp or your browser's inspect option to view the data going between host and remote?

No, or I don’t understand the question. You don’t need to inspect any captured data between you and the remote host, if that’s what you’re asking.

@Skunkfoot
I dont see why completing Frolic helps in this Box ?. May PM me i dont get it

binkshurts · December 16, 2018, 9:24pm

edit

epsequiel · December 17, 2018, 5:30am

I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.

The most difficult part, or at least the part that took me more time was going from user2 to user1 and that’s because I’m a bit lazy.

Good box, I enjoyed it a lot. Thanks to the creator and thanks everybody for the help-

mrflibbleoz · December 17, 2018, 10:25am

Sooo…i found two creds whilst logged in with the “easy” access account, both turned out to be $6$salt$hash. Been trying to bruteforce for a whole day using assorted wordlists etc. with no luck. Am I missing something?

mitoOo · December 17, 2018, 12:03pm

any hints for root privesc???
cracking ba****.***

s4rgey · December 17, 2018, 2:27pm

@mrflibbleoz said:
Been trying to bruteforce for a whole day using assorted wordlists etc. with no luck. Am I missing something?

Brutforcing is a rabbit hole, though accounts are usefull. You should think about a different approach to get the passwords.

Uvemode · December 17, 2018, 3:28pm

@prokaryont said:

@Uvemode said:
Got root and all, but I’m curious, how exactly?
‘It’ was blank, therefore shouldn’t be able to do anything special. I checked and blank means nothing, even with those ending flags. except that previous ‘it’ were removed. Surely I missed something.
@avetamine
There is a c function that translates a textual representation of what you can do into a binary one. In the man page there is also a section about what it means when ‘it’ is blank.

You are right, it was at the man page. Just didn’t check for the right keywords.
Thanks.

avetamine · December 17, 2018, 3:30pm

Yes thanks for the insight @prokaryont

r1cin · December 17, 2018, 4:51pm

@mitoOo said:
any hints for root privesc???
cracking ba****.***

Once you crack that file and read the contents carefully, it should be straightforward. PM me if you need help

TazWake · December 17, 2018, 7:11pm

@epsequiel said:
I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.

So, as a tip, maybe you shouldn’t read through the forums if you dont want the hints.