Finally rooted yesterday. I just wanted to say thanks for all the help I got from @lucxfer , @pr0t34n and @vider
Interesting box. Rooted, feel free to PM me if you need help.
Rooted, nice. Was harder then i thought and focused way to hard on the backup files.
Hints:
first shell: upload image of a shell
user: enum, inject
root: enum, suid file, use the name.
stop trolling the box . fucking idiots
ā¦
Rooted, thanks for hints, was way overthinking it!
Can anyone help for thr initial foothold i have tried changing the size of webshell below 60kb and changed the mime type too still invalid image is this the correct way ?
[root@networked ~] #
g00t r00t.
Very amazing box.
I must say I learnt a lot since I donāt do so much linux boxes.
Thanks to @rholas and @vhash for giving me the right hints.
FootHold :
Find the hidden web directory and google how you can use magic bytes to go through limitations.
User : Find the hidden script, find out as what user it runs as and learn how you can ātouchā it to get to the user.
Root: again find the hidden script and check how you can exploit it. Tip: Google helped me learn how to exploit it.
Report if spoiler.
if anyone wants to give me a hand for initial footholdā¦
understand what needs to be doneā¦
found the files, can bypass the filterā¦ but struggling to actually find a file I can then executeā¦
User took me awhile, but I eventually got it. I came back to root today and it didnāt take me too long. Iām new to this kind of stuff to begin with so Iām surprised I got any of it at all.
My hints, hopefully these are just the right level of vague:
User
- After your foothold, look to establish a more-preferred means of executing your commands
- If necessary, run stuff locally and watch whatās actually happening. I got caught up on one part of the logic which ended up being irrelevant.
- The methodology behind this pivot is much simpler than youāre thinking it is, in my opinion. Itās about leveraging whatās there (without modification) to make it do what you want to do.
Root
- Donāt forget to enumerate!
- This escalation is very similar to the user escalation.
- What are you allowed to do with your new-found identity? Anything extra? Anything overpowered?
- Again, more simple than you might think. Everything you need is in front of you, no modifications or additional complexity needed.
Hopefully these help. Feel free to PM me for any additional hints, Iāll do what I can.
Rooted.
User took days but then root was easy if you understand the script, for user it was my mistake that i saw something at u***d and ignore it to tryā¦ so try each and every thing which you see during your enumerating.
Special Thanks to @lucxfer for all his help and guidanceā¦ otherwise really stuck at user part.
I canāt even work out where to start
Is there some problems with the server? I know how to get user, itās obvious, but it seems the cron doesnāt work, because Iāve been waiting for hour. Or maybe Iām doing something completely wrong?
Got root and was doing everything right. Sometimes you need to reset a machine if cron isnāt working.
Hint for root: google files that might be interesting
Hints for ROOT?, Iām stucked on ch******.s***
Type your comment> @codebear said:
Gāday all again,
Iām getting into a rhythm of rooting boxes and as always the forum is a source of great inspiration and I always like to give back.
Just to note for this box Iām on a private server so I didnāt get any spoilers but a big shout out to @letMel00kDeepr, @LastC0de and @Apr4h for nudges on the USER portion.
INITIAL FOOTHOLD: This is pretty straight forward, think double ext and magic bytes. I picked this up from an IPPSEC video (although I canāt remember which one).
USER: The hints in here are TOUCH and youāll need a special character ā;ā. Figure out where this needs to go and be patient. If youāre on the free server youāll probs get this straight away.
ROOT: Basic privesc will lead you and then read code again.
If you need help PM me.
what do u mean by TOUCH?
Finally rooted, for me the root part was the most difficult part
If someone stuck on getting user shell, read nc man carefully.
Got a low priv shell, now trying to get user. I saw when something runs, and got ca.***. Also thanks to leftovers/forumposts I get what should be done. However I cant figure out exactly what and why it should work, anyone I could PM for a hint?
Any chance I could get a hint on viewing u*.tt? Got shell as A***e, looked through c_a but not any good with understanding what it means. Think I understand the ātouchā reference but not sure how to make use of it. PMās are welcome
Type your comment> @kalagan76 said:
Iām almost at the point were iām going to throw my laptop out of the windows. Iāve been stucked for days now.
Iām on the box as ae and trying to get a shell as g. Iāve read a lot about c*****d in and understand how it work but just not in the context of the ck_a*k.php and cron files.
I donāt understand where i could inject the commandā¦iāve try to create a file, upload a file with the command in the name, etcā¦
Help!!
Same here!
Can anybody help me to understand where to touch?
DM please