Spoiler Removed
Type your comment> @joakim said:
Really cool box so far! I would be really happy if someone would be so kind to PM me a hint.
I’ve managed to get “upload succesfull.y”, but I cannot find my upload anywhere? Hmm…
Thanks a lot for your help, @lantog
Awesome box!
Would anyone be able to assist with intercepting the tunnel traffic with burp? I’ve been struggling to get this working correctly but feel I am super close.
Can someone give me a hint about sftp part?
I tried creating links, but i limited in web root (www), so i didn’t manage browse something interesting.
And i tried uploading shell and giving 777 to it, but getting 403 all the time.
What am i missing?
EDIT: Working only in sftp tunneled my vision, didn’t thought how different environments may interact with same object.
Moved on, but did not managed uploading reverse/command shell from sftp.
Finally got root! That was a pretty cool box, though root was definitely finicky. lol
A tip for people working on root:
People on stackoverflow don’t know ■■■■. Do not ever trust their answers and do more thorough research to confirm it. Got completely dead-ended because I trusted something I read there to rule out one of my approaches.
.
Type your comment> @GordonFreeman said:
Would anyone be able to assist with intercepting the tunnel traffic with burp? I’ve been struggling to get this working correctly but feel I am super close.
remove 127.0.0.1, localhost from exceptions in browser
Awesome box, from beggining to end. Congrats to @jkr for the great work done here. It’s not an easy one, but you can learn a lot from every step if they don’t just tell you how to do it. Root is mindblowing. My tip: This box is so well made it tells you exactly what you need to know. Things will stand out, you’re probably on the right track. Nothing is here by chance. READ every piece very very carefully and think on how to turn it around to your advantage.
Type your comment> @GordonFreeman said:
Would anyone be able to assist with intercepting the tunnel traffic with burp? I’ve been struggling to get this working correctly but feel I am super close.
remove the directive in firefox on network settings for proxy to bypass for 127.0.0.1
I had same issue box is very unstable waiting two days for this to work so i can go for root me and 3 guys were having major issues last night
So… is a**-g** u***** a rabbit hole to get root? I already have shell access, but no user.txt and root.txt in sight so far. I know ways to exploit it, but those won’t work here - or would they? Not sure if a proxy is needed for this attack… Any hints? Also, is there a way to get user.txt without getting root? I know I am soooo close
Type your comment> @rootk1d said:
So… is a**-g** u***** a rabbit hole to get root? I already have shell access, but no user.txt and root.txt in sight so far. I know ways to exploit it, but those won’t work here - or would they? Not sure if a proxy is needed for this attack… Any hints? Also, is there a way to get user.txt without getting root? I know I am soooo close
nope not a rabbit hole you can view with netcat and figure out what is going on here upstream proxy as well as a little local host editing should get you on the way
I was also told env_k*** works but i found so does a proxy through apt-***
Type your comment> @wabafet said:
Type your comment> @rootk1d said:
So… is a**-g** u***** a rabbit hole to get root? I already have shell access, but no user.txt and root.txt in sight so far. I know ways to exploit it, but those won’t work here - or would they? Not sure if a proxy is needed for this attack… Any hints? Also, is there a way to get user.txt without getting root? I know I am soooo close
nope not a rabbit hole you can view with netcat and figure out what is going on here upstream proxy as well as a little local host editing should get you on the way
Awesome cheers! Seems I am actually on the right path…
OK, I think I need some more help here… SFTP really seems to be a dead-end. I’ve looked at all the commands and none of them seem useful to me I’ve looked at all the commands with help, tried ridiculous stuff and nothing is working. I’ve tried tunneling to the high port and SSH tells me to ■■■■■■ off. I don’t need the whole Scooby-Doo rundown but I’m struggling here peeps. Any other suggestions?
Type your comment> @virtualgoth said:
OK, I think I need some more help here… SFTP really seems to be a dead-end. I’ve looked at all the commands and none of them seem useful to me I’ve looked at all the commands with help, tried ridiculous stuff and nothing is working. I’ve tried tunneling to the high port and SSH tells me to ■■■■■■ off. I don’t need the whole Scooby-Doo rundown but I’m struggling here peeps. Any other suggestions?
SFTP is not a dead end. Think about how Apache may interpret some information differently than the SFTP environment. SSH tunneling does not require terminal connection, if you pass the correct option to it.
Is the privesc related to a**-t u***e ? I read some where that this version is not vulnerable to that recent exploit?
deleted misleading comment
Hey all, I don’t know how to asterisk out spoilers so I’m going to try to be vague. For privesc I know the app I have to target and I’ve redirected traffic to me; however, I do not know how to serve out a malicious package. If allowed, is there a blog post or a reference that someone can link me to get me started? Thanks all!
Type your comment> @Manb4t said:
Type your comment> @GordonFreeman said:
Would anyone be able to assist with intercepting the tunnel traffic with burp? I’ve been struggling to get this working correctly but feel I am super close.
remove 127.0.0.1, localhost from exceptions in browser
@Manb4t thank you, I would have never seen this!
I found admin page this, is this a right way to root or rabbit hole?