@safexsal said:
For the last 2 days I have done some queries and looking at the output believe got something. Do you need to decrypt or is it in plain text. Can’t get to user access.
No decryption is required to get user access.
Can anyone throw me a hint, I think I’m at the last step, I have access to the two users, and I can see user 1 has two binaries in their home area that can be executed with enhanced privs over what their account has.
What I just can’t get is the last step of using the T or O binaries to get the flag. I think I need the O file but I’ve tried reading the flags file as in as an input command but get access denied.
I’m pretty sure that o****** should be used, but stuck on permission for reading.
I need a hint - this binary should be run from other script/program? or directly?
Finally rooted the box, all you need is in this thread. For popping a root shell, if you can read then you can write! Happy to provide hints for anyone stuck.
Hi!
Rooted, but actually didn’t get what is happening when the creds of ld****ser2 are exposed. What is causing this? which process? Does someone know?
Rooted this machine if anyone need help feel free to pm 
can not capure any thing with **dum. Can any one help me with the command ?
Anyone can pm me for initial user, im kinda stuck (have some data from t****p but do not know how to use it, or if it is a deep hole i dig for myself 
Thanks!
Thanks to @samsepi0l and @Nofix for hints, it was not so easy as i thought and im glad to help anyone im PM.
Any hint about what to do to trigger t*****p on a specific port? I tried navigating on the web, launching features of the web,…
MP me.
Some (hopefully) non spoiler-y comments for anyone stuck.
Initial foothold - Check the simplest thing you could possibly do on a fresh box.
User:
- Take a moment and listen to the box, particularly when you look at something that loads slower than expected.
- Do not over-complicate once you’ve heard something - the answer is in front you.
- Do not attempt to SSH with your answer (refused to work for me at least), there’s a very common way to change user from your foothold.
- I couldn’t directly move any files between the box and my machine. @waspy comment on page 6 definitely works.
Elevation:
- As others have mentioned - something is more capable than it should be.
- When running the above explicitly write every filepath; do not be lazy or it won’t work!
- If you don’t know what filepath you’re after, check out the end of any of IppSec’s Youtube videos, you’ll find what you need.
I’m a scrub but happy to take on PMs if needed.
rooted learned alot from this box
rooted. learned a lot, thanks, if u need help, tell me.
Can someone PM a hint for root flag? I got access to both users, got access to the zip but clueless on what to do now. Not getting much wiser reading about capabilities
I could use a nudge. Only got the initial ssh and a couple sha512 hashes. t*****p gives me nothing useful 
edit1: got it, cheers @clmtn
Would anyone be able to provide a hint for User? Like @sanre initial query I am unsure on how to get the information I need using t*****p
EDIT: Reached l*******1, now to figure out root…
EDIT2: Rooted, Thanks for the advise folks!
finally got root but still got some questions on why something worked the way it worked
PM would be nice
Anyone able to help with escalating from the first user? I’ve ran the tp but am getting the same information that I got from the n script. I’ve tried using {***}* to login as well as the full hashes, but no luck.
EDIT: Nevermind, make sure you listen in the right places! 
EDIT 2: Rooted… paths are important!
Finally rooted this box and learned about capabilities
Special thanks to @sanre for taking the time to explain about linux capabilities.
I’m stuck on the last step for privesc.
I think I know what binary to use from the last user to get access to the flag, but I’ve been staring at man pages and playing with the program for the past hour or two and can’t get anything other than ‘permission denied’ errors for the file I want access to.