I cant just understand how to get root… I see that admin***** but dont know whats going on there… Any hints… ?
Finally got the root flag, it truely was super obvious, but it was something that I thought was a troll so I ignored it for hours lol. I feel bad for wasting like 4 hours on priv esc when it could have taken 5 minutes.
Can’t figure out how to pop a shell as root just yet but I’m satisfied with getting the flag for now.
Got it.
very nice box
if anybody needs help, don’t hesitate to pm me
this box is really unstable… 5 minutes after reset and then it starts timing out
is burpsuite useful or not in this vm?
@b10s said:
is burpsuite useful or not in this vm?
“Useful” is relative I guess, but I didn’t use it at all, and I can’t see from my perspective how it could really be useful. The only web-based steps are as follows:
Spoiler Removed - Arrexel
Rooted !
What a box
Pm if you need help
I can’t get root for the life of me! I’ve been searching around for hours now…
@marzukr said:
I can’t get root for the life of me! I’ve been searching around for hours now…
Look closer, you don’t need to search very far to find what you need. This isn’t some common exploit or something like that, but it’s pretty simple to figure out if you can find the right avenue. Just look around for some interesting stuff that you don’t see on a clean linux install.
TLDR; RTFM 
Just got it!!! Tbh, root was way harder and less straightforward than user for me.
■■■■, I feel like an idiot. I can’t even get past the login page. Found the se****.txt which looks like a password but no username works. I thought the user Fl**** would work but no. Admin no. Used cewl with burp suite and nothing could get in. I’m not seeing something thats probably obvious. Can’t get in to either login page. Tried hydra on port 22 with what I found and my cewl list and still no dice. PM appreciated.
@paddy said:
■■■■, I feel like an idiot. I can’t even get past the login page. Found the se****.txt which looks like a password but no username works. I thought the user Fl**** would work but no. Admin no. Used cewl with burp suite and nothing could get in. I’m not seeing something thats probably obvious. Can’t get in to either login page. Tried hydra on port 22 with what I found and my cewl list and still no dice. PM appreciated.
are you sure you have the actual password?
@paddy said:
■■■■, I feel like an idiot. I can’t even get past the login page. Found the se****.txt which looks like a password but no username works. I thought the user Fl**** would work but no. Admin no. Used cewl with burp suite and nothing could get in. I’m not seeing something thats probably obvious. Can’t get in to either login page. Tried hydra on port 22 with what I found and my cewl list and still no dice. PM appreciated.
I had this problem for a bit. When I figured it out, I wanted to kick myself because that step it usually something that I do routinely with strings that look like that, but I also figured that it already looked like a password.
Cool, I figured that part out. I am working on something ippsec did in the Popcorn walkthough. He used burp suite to manipulate something when he was uploading but i can’t seem to get it right. I think thats how I’ll get RCE right? Been working on it for the last hour and a half.
@paddy said:
Cool, I figured that part out. I am working on something ippsec did in the Popcorn walkthough. He used burp suite to manipulate something when he was uploading but i can’t seem to get it right. I think thats how I’ll get RCE right? Been working on it for the last hour and a half.
No Burp Suite needed. Think about how Joomla and its modules and such work, and how you can abuse that as an admin (assuming file permissions are open enough for this mechanism to work, which they are in this case).
I’m stuck at the privesc… probably thinking the hard way! It should take 5 minutes because it should be basics. I do have a little clue on where to go yet.
@opt1kz said:
@galoryber said:
Exactly this. I’m here to learn before taking my OSCP course in the new year. The machines I’ve already done are very easy retro-respectively. Learning how to get there though… there is a lot of ground to cover.You guys aren’t wrong by any stretch of the imagination. I can see why this box would be difficult for someone just starting out. I can’t speak for Frey, but, personally, I’m having a very difficult time trying to come up with hints that wouldn’t just be outright spoilers.
But that may very well be the disconnect between those with less experience and those with more experience; to me it seems like any hint I provide would be a spoiler, but if the person I’m providing that hint to isn’t already in my headspace… It might not even be useful to them. But it could also be spoonfeeding a third party reading the hint who’s in between us as far as skill/experience goes. So it’s a very difficult issue to navigate.
I think this is also why you see so many people just saying the same, tired ■■■■ over and over on this forum. “Enumerate more”, “try harder”, etc.
TL/DR: I don’t think anyone is trying to be intentionally unhelpful.
Hint for stage one: Enumerate. Examine everything (including page sources) and look for common file extensions. Everything you need to login is literally right there in front of you. Once you’ve logged in, you may need to research a bit before you figure out how to execute commands on the system, but it is very, very simple.
Hint for stage two (user): Again, it’s in your face. No tricks. If the first few bytes of the file look familiar, that’s because they are. If they aren’t, Google them. Either way, figure out how to transform the data into something else, and then repeat. Eventually you’ll end up with a plaintext something-or-other that you’ll (hopefully) know what to do with.
Hint for stage three (root): There’s something going on close by. You don’t need to venture very far. Figure out what’s going on and leverage it. Be patient. Examine the environment.
I agree with everything that you said but your stage two hint may be a little too hand-holdy lol. Its difficult, I’m getting PMs everyday, “please tell me how to do this, then this, then this”. I blew through user quickly, had a good time because it was a little creative and a break from the norm. Sometimes these quick wins help your confidence
@opt1kz said:
@galoryber said:
Exactly this. I’m here to learn before taking my OSCP course in the new year. The machines I’ve already done are very easy retro-respectively. Learning how to get there though… there is a lot of ground to cover.You guys aren’t wrong by any stretch of the imagination. I can see why this box would be difficult for someone just starting out. I can’t speak for Frey, but, personally, I’m having a very difficult time trying to come up with hints that wouldn’t just be outright spoilers.
But that may very well be the disconnect between those with less experience and those with more experience; to me it seems like any hint I provide would be a spoiler, but if the person I’m providing that hint to isn’t already in my headspace… It might not even be useful to them. But it could also be spoonfeeding a third party reading the hint who’s in between us as far as skill/experience goes. So it’s a very difficult issue to navigate.
I think this is also why you see so many people just saying the same, tired ■■■■ over and over on this forum. “Enumerate more”, “try harder”, etc.
TL/DR: I don’t think anyone is trying to be intentionally unhelpful.
Hint for stage one: Enumerate. Examine everything (including page sources) and look for common file extensions. Everything you need to login is literally right there in front of you. Once you’ve logged in, you may need to research a bit before you figure out how to execute commands on the system, but it is very, very simple.
Hint for stage two (user): Again, it’s in your face. No tricks. If the first few bytes of the file look familiar, that’s because they are. If they aren’t, Google them. Either way, figure out how to transform the data into something else, and then repeat. Eventually you’ll end up with a plaintext something-or-other that you’ll (hopefully) know what to do with.
Hint for stage three (root): There’s something going on close by. You don’t need to venture very far. Figure out what’s going on and leverage it. Be patient. Examine the environment.
What’s easy for some is not easy for others. That’s why the retired box area is there and that’s where people should learn I guess. I would never complain about people not giving hints or people being annoying by saying a box is easy. We all have to get to the level where boxes like this are easy.
I haven’t even been able to get user and I am sure I’m not alone. My latest attempt was looking at the extensions. I manipulated all of their names in a text file and grep -f against another file with all the known vulnerable extensions named but no dice. I’ll continue trying but this tells me I need to pop a few more boxes in the retired area and learn from the walkthroughs when I get super stuck. I really do learn a lot from ippsecs walkthoughs.
@paddy said:
What’s easy for some is not easy for others. That’s why the retired box area is there and that’s where people should learn I guess. I would never complain about people not giving hints or people being annoying by saying a box is easy. We all have to get to the level where boxes like this are easy.
I haven’t even been able to get user and I am sure I’m not alone. My latest attempt was looking at the extensions. I manipulated all of their names in a text file and grep -f against another file with all the known vulnerable extensions named but no dice. I’ll continue trying but this tells me I need to pop a few more boxes in the retired area and learn from the walkthroughs when I get super stuck. I really do learn a lot from ippsecs walkthoughs.
I have been thinking hard about going vip so I can get access to the retired boxes and walkthroughs. You may have just given me the incentive I was looking for.
I’ve managed to finally get into the website, and even gotten some files uploaded, but I still can’t get the RCE. I definitely have a lot to learn, so I’ll go take a look at some of the previous boxes and develop my skills there. Thanks @paddy