Curling

Draco123 · November 6, 2018, 5:20am

This machine was fun. Pm if any hints needed.

P4wnsKing · November 6, 2018, 7:52am

Hi I am new to HTB and new to OffSec anyone can give me a hint how to find those user and password? I found those base64 strings and decode but it outputs a url path.

P4wnsKing · November 6, 2018, 8:32am

If only Curling machine can shout please stop bombing the index.php. we cannot use ithe machine

redteampanda · November 6, 2018, 8:57am

4 restarts within 20 minutes, the machine is not usable atm…
stop restarting the machine and changing the index.php

poule · November 6, 2018, 9:15am

Rooted the box. Getting user.txt pure CTF thing. But getting root was fun and very easy. If someone needs hint - PM me.

Laegir · November 6, 2018, 12:37pm

Nice box, getting root.txt is easy, but root shell is little bit tricky.

mpgn · November 6, 2018, 4:08pm

Root was very funny

k4n1n · November 6, 2018, 10:04pm

I got root.txt but i’m not sure if it was me or not. Can somebody help me? xd

n0bf · November 6, 2018, 11:22pm

Can someone pm me a nudge in the right direction (other than “don’t over think it”) for Curling? I got p*******b***** file but I’m not sure how to start decrypting it.

senorbueno · November 7, 2018, 7:42pm

That was a nice CTF box
I see so many people digging WAY too deep on the box.
Best advice is to not over complicate and look at what is right in front of you (classic advice i know lol…)

mcors · November 7, 2018, 7:50pm

can anyone help a noob privesc from www-data to user? unless I went about getting a shell the wrong way?

TazWake · November 7, 2018, 10:08pm

@cognitiv3 said:
can anyone help a noob privesc from www-data to user? unless I went about getting a shell the wrong way?

check your pms

nergalwaja · November 8, 2018, 4:12am

Can someone point me in the right direction for getting a shell? I’m almost positive what I’m doing is correct, but I’m getting an error message that I don’t believe I should be getting.
EDIT: The error I’m getting is “You have tried to upload file(s) that are not safe.” except I’ve whitelisted and removed all file type restrictions in order to allow .php.

0w1 · November 8, 2018, 8:44am

@nergalwaja said:
Can someone point me in the right direction for getting a shell? I’m almost positive what I’m doing is correct, but I’m getting an error message that I don’t believe I should be getting.
EDIT: The error I’m getting is “You have tried to upload file(s) that are not safe.” except I’ve whitelisted and removed all file type restrictions in order to allow .php.

I believe there are many ways to solve this, if you don’t mind to miss why something doesn’t work you may just try other (though may be similar in concept) attempts.

Sv5 · November 8, 2018, 12:25pm

help root …PM

XecutionByFork · November 8, 2018, 7:36pm

Anyone else getting this when trying to connect to the box? I tried the reset button but it’s not resetting.

WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

Lisbeth · November 8, 2018, 9:24pm

Whoop! Finally got root.txt and really enjoyed it. Learnt a few things even from the dead ends I ended up at.

mcors · November 8, 2018, 11:08pm

no idea what to do with the p******_b******* file. any tips?

TazWake · November 8, 2018, 11:17pm

@cognitiv3 said:
no idea what to do with the p******_b******* file. any tips?

Google “file signatures” or “magic bytes” or “magic numbers”.

PercyJackson35 · November 8, 2018, 11:25pm

Finally rooted… I heard people that there is a way to read root.txt without a shell?? Anyone who did it that way pm me because i am curious on how you got that to work that way.