Got root.txt after lots of hours. The privesc part was something new for me, what a hard learning class. As others, I love and hate this box at the same time, thanks to the makers.
Tip for the privesc: Don’t expect to find the exact solution in exploiting_capabilities_the_dark_side.pdf. Take it only as an introduction to capabilities. The solution is easier than that, think and search a bit on the box.
So has anyone actually got root (not just accessed the root.txt file)? If so, can you PM me to point to how you did it?
Got root ! It push at the limit of your capabilities !
BUT i’ve learned a lot of excellent things !
Got root.txt rolf, what a nice box on the privesc, pushing me to learn new things, I’ve never seen it before 
Anyone who want some help, just ask!
Cheers!
I’ve just figured out that some days ago an specific enumeration tool was updated with new capabilities. Update your enumeration tools before use them for the privesc part 
I think I’m jailed… I want to break free :), but no idea how to do it. Usual rshell bypass techniques didn’t work. Could someone please lend me a hand?. PM please.
I took a break from this, re-traced what I did and found waldo. Yay me.
I’m stuck on user n*****, unsure what steps to take next - there is a lot of talk about user m****** - do I need to be that user to obtain root? PMs for hints would be much appreciated.
Get root! After a good sleep and hours of researching! The way to read root file is a hidden way for me. A search command solved my problem in 1 minutes. There are so much files and folders make you thinking inside the box
Learned a lot from this box. Enumerating is never enough.
p/s: This is an interesting privilege escalation vector
I am stuck. I am user n*****, and I found the SS* credentials of the user m****** but the problem is that I cannot login using those credentials (I tried using the famous metasploit module that helped me login to the user n***** as well). Probably the problem is that I don’t know something that I should. If someone could PM me and give me a hint (not a solution - spoiler) towards the correct direction, it would be great! Thank you!
EDIT: I just found my mistake, God, i am so stupid. You don’t need to login externally with ssh, but rather “internally” using a standard ssh command.
help on initial start point?
found a vulnerability !
I have the thing, i can read files and directories, but i dont know what to do… would i find id_rsa for ssh or maybe try to get a reverse shell before?? hints by pm please 
Fun box, but the priv esc was a little boring. Or at least the way that I got the flag was. I’d be interested to play around more and hear about other options for actually getting a root shell if anybody has any.
@Skunkfoot said:
Fun box, but the priv esc was a little boring. Or at least the way that I got the flag was. I’d be interested to play around more and hear about other options for actually getting a root shell if anybody has any.
Server has radare2 1.1 on it. I think there are some tricks can be done with it, using l**M**** but i have never tried.
stuck in getting root, tried to research about capabilities, but seem there is no set*** / get*** commands to check the file capabilities. tried to look at the text editors, but totally no idea. would appreciate if anyone can give me some hints? thanks
@meowzilla said:
stuck in getting root, tried to research about capabilities, but seem there is no set*** / get*** commands to check the file capabilities. tried to look at the text editors, but totally no idea. would appreciate if anyone can give me some hints? thanks
If you’re out of the “jail” then all commands are available assuming your PATH is sorted.
Could someone PM me with some hints to move me forward. I’m logged in as user n*****. I see people talking about moving onto user m******, but I have not seen that user on my travels.
I see that this machine is a Dc**r container. I also see people talking about breaking out. I assume this is breaking out of Dc**r?
Any tips appreciated to get me moving forward!
hi guys I need a help on this macine, I can write some php code in /.list/list11 but i don’t know how to exec it. I have got all sources files but i can’t find the way.
OK thats the second time I’ve overlooked the same private key, but looked at every other file ><. Haha