Networked

HUNgeraHUN · October 17, 2019, 4:11pm

Finally rooted yesterday. I just wanted to say thanks for all the help I got from @lucxfer , @pr0t34n and @vider

Mgsy · October 17, 2019, 7:54pm

Interesting box. Rooted, feel free to PM me if you need help.

rr1993 · October 17, 2019, 9:01pm

Rooted, nice. Was harder then i thought and focused way to hard on the backup files.

Hints:
first shell: upload image of a shell
user: enum, inject
root: enum, suid file, use the name.

pi0x73 · October 17, 2019, 9:02pm

stop trolling the box . fucking idiots

C0r3Ac3 · October 17, 2019, 10:05pm

…

triki · October 18, 2019, 12:52am

Rooted, thanks for hints, was way overthinking it!

3322kr · October 18, 2019, 2:03am

Can anyone help for thr initial foothold i have tried changing the size of webshell below 60kb and changed the mime type too still invalid image is this the correct way ?

pi0x73 · October 18, 2019, 7:19am

[root@networked ~] #

g00t r00t.
Very amazing box.
I must say I learnt a lot since I don’t do so much linux boxes.

Thanks to @rholas and @vhash for giving me the right hints.

FootHold :
Find the hidden web directory and google how you can use magic bytes to go through limitations.

User : Find the hidden script, find out as what user it runs as and learn how you can “touch” it to get to the user.

Root: again find the hidden script and check how you can exploit it. Tip: Google helped me learn how to exploit it.

Report if spoiler.

p3tj3v · October 18, 2019, 7:43pm

if anyone wants to give me a hand for initial foothold…
understand what needs to be done…
found the files, can bypass the filter… but struggling to actually find a file I can then execute…

BrunoSardine · October 18, 2019, 7:51pm

User took me awhile, but I eventually got it. I came back to root today and it didn’t take me too long. I’m new to this kind of stuff to begin with so I’m surprised I got any of it at all.

My hints, hopefully these are just the right level of vague:

User

After your foothold, look to establish a more-preferred means of executing your commands
If necessary, run stuff locally and watch what’s actually happening. I got caught up on one part of the logic which ended up being irrelevant.
The methodology behind this pivot is much simpler than you’re thinking it is, in my opinion. It’s about leveraging what’s there (without modification) to make it do what you want to do.

Root

Don’t forget to enumerate!
This escalation is very similar to the user escalation.
What are you allowed to do with your new-found identity? Anything extra? Anything overpowered?
Again, more simple than you might think. Everything you need is in front of you, no modifications or additional complexity needed.

Hopefully these help. Feel free to PM me for any additional hints, I’ll do what I can.

mugall79 · October 19, 2019, 4:04pm

Rooted.
User took days but then root was easy if you understand the script, for user it was my mistake that i saw something at u***d and ignore it to try… so try each and every thing which you see during your enumerating.

Special Thanks to @lucxfer for all his help and guidance… otherwise really stuck at user part.

jish2002 · October 19, 2019, 4:54pm

I can’t even work out where to start

VoltK · October 19, 2019, 11:31pm

Is there some problems with the server? I know how to get user, it’s obvious, but it seems the cron doesn’t work, because I’ve been waiting for hour. Or maybe I’m doing something completely wrong?

Got root and was doing everything right. Sometimes you need to reset a machine if cron isn’t working.

Hint for root: google files that might be interesting

xxmeshxx · October 20, 2019, 12:47am

Hints for ROOT?, I’m stucked on ch******.s***

de7fx10 · October 20, 2019, 1:05pm

Type your comment> @codebear said:

G’day all again,

I’m getting into a rhythm of rooting boxes and as always the forum is a source of great inspiration and I always like to give back.

Just to note for this box I’m on a private server so I didn’t get any spoilers but a big shout out to @letMel00kDeepr, @LastC0de and @Apr4h for nudges on the USER portion.

INITIAL FOOTHOLD: This is pretty straight forward, think double ext and magic bytes. I picked this up from an IPPSEC video (although I can’t remember which one).

USER: The hints in here are TOUCH and you’ll need a special character ‘;’. Figure out where this needs to go and be patient. If you’re on the free server you’ll probs get this straight away.

ROOT: Basic privesc will lead you and then read code again.

If you need help PM me.

what do u mean by TOUCH?

Trolliama · October 20, 2019, 6:19pm

Finally rooted, for me the root part was the most difficult part

deadl0ck · October 20, 2019, 6:34pm

If someone stuck on getting user shell, read nc man carefully.

tvv · October 20, 2019, 7:04pm

Got a low priv shell, now trying to get user. I saw when something runs, and got ca.***. Also thanks to leftovers/forumposts I get what should be done. However I cant figure out exactly what and why it should work, anyone I could PM for a hint?

HNTLY · October 20, 2019, 7:05pm

Any chance I could get a hint on viewing u*.tt? Got shell as A***e, looked through c_a but not any good with understanding what it means. Think I understand the ‘touch’ reference but not sure how to make use of it. PM’s are welcome

psjs · October 20, 2019, 8:16pm

Type your comment> @kalagan76 said:

I’m almost at the point were i’m going to throw my laptop out of the windows. I’ve been stucked for days now.

I’m on the box as ae and trying to get a shell as g. I’ve read a lot about c*****d in and understand how it work but just not in the context of the ck_a*k.php and cron files.

I don’t understand where i could inject the command…i’ve try to create a file, upload a file with the command in the name, etc…

Help!!

Same here!
Can anybody help me to understand where to touch?
DM please