Obscurity

Was a lot of fun, but also some hard work. In hindsight everything could’ve been done very much more efficiently, but I guess that is the case for EVERY achievement in retrospective.

I rated 7/10 for userflag and 3/10 for root, but 7/10 doesn’t really reflect the complexity it only is that high, becuase of the really long time it took me to get onto the right track. After first analyzing the server-script I got the wrong idea for exploiting a vulnerability there. Then I saw the right vulnerability to exploit, but still wasn’t totally on the right track, because I was blinded by what only seemed to be obvious but wasn’t correct at all. Is it a red hering?

Finally I saw a better opportunity of getting remote-access as the web-user, and from now on the rest went relative smoothly.

After having access as ssh-user enhancing privileges was not a big deal at all here.

Really a nice challenge - if only I’d seen the more promising way a bit quicker!

@paddanada said:
For .py beginners, is it necessary to install Flask in order to debug/test locally, or is there an alternative method?

I’ve added the code snippet from the Flask quickstart guide to the first .py file you discover, and although the server runs the code ok, when i browse the page, I’m seeing a “view function did not return a valid response” error in the console (and a 500 Internal Server Error in my browser). So, before I get too far into debugging and correcting that, am I heading down a rabbit hole?

I didn’t use a debugger locally. The script itself is tiny and well structured, I played around with it a bit, wrote down its behaviour. You have to look out for the most promising vulerability. Only that took me a LOT of time.

Rooted.
Foothold: Any wordlist is fine. View the page source and see if you notice anything strange when you compare what you see there to the results of running dirb with the standard wordlist. That was what tipped me off. Once you find the file, examine the code, run it locally and see what happens. Then apply that knowledge on the real thing.

User: Read the code and understand it. You can either write a program to undo it or find a trick that undoes it without you writing any code. Either way, make sure the files you’re working with have the same filesize as the ones on the box. Or better yet, just do everything on the box. I wasted a ton of time not realizing that certain files copied incorrectly.

Root: As always, examine the code. Look for the thing you have to catch. Then figure out how to catch something that moves faster than your hands.

Feel free to message me for hints.

I feel like I am very close to user… Someone mind shooting me a msg so we can discuss where I may be going wrong?

I don’t really know what the problem is. If someone could point me in the right direction, that would be great. I have been at this stage for much longer than I care to say.
I am having problems with the initial shell.

What I do know:
I have confirmed RCE on the box.
I have several DIFFERENT payloads that all work perfect locally, but when I try to run it remotely it does not drop a shell. Ever.
Please help me.

I have the key (pretty sure it’s av), but when I use the key to decrypt p*******.txt I get an incomplete output. It looks like a pass but the last 4 chars are munted. I’m running the script server side so there should be no issue with the file. Any hints? it’s driving me nuts. Are we supposed to brute the last 4 chars?

@v0yager said:

I have the key (pretty sure it’s av), but when I use the key to decrypt p*******.txt I get an incomplete output. It looks like a pass but the last 4 chars are munted. I’m running the script server side so there should be no issue with the file. Any hints? it’s driving me nuts. Are we supposed to brute the last 4 chars?

I was facing the exact same problem.

Without spoiling: Don’t trust your eyes on this one, take another look at the encrypted file in vim.

Feel free to PM me if you need another nudge

Can someone give me a nudge in the SSS.py? Can run print(1+1) via my code but can’t seem to escape something…

edit: nvm got it myself… made a stupid mistake.

After letting this box beat me for far to long… rooted!! Thanks @EstamelGG for the push in the right direction!

not sure if it has been said , but, for people who straggle with crypto to get user,
you can bruteforce as a last resort.
you can use seclists ‘xato-net-’ the 1million version. its smaller than rockyou.

done both ways. good exercise.

Can someone please help me with how to host SSS.py locally? I see everyone suggesting testing it locally and I know where the vulnerability is but I don’t quite understand how to set it up so I can test it? A PM would be much appreciated.

Hi lads, doing my first steps with python, and I managed to send a request to a webpage. Also found the .py on the website. Kinda having difficulties in creating the url, so I can run things… Any help would be appreciated.
Can anyone explain how the exec(info.format(path) relates to the file in the next line? Is that the output of the exec?

If somebody could PM me for a nudge to get the initial shell would appreciate. Tested locally but seems like I can’t make anything work. Thanks in advance.

Finally figured it out … I must say, the python scripting was a challenge for me… Rooted!

Really having some trouble getting user. Found some interesting stuff in h*** directory of r***** but can’t for the life of me figure out what to do with it. Please help!

edit: got user after reversing the logic in SSC.py

I got access to the SSS.py file. I understand that it is necessary to get RCE, I found the necessary function.
But I have implementation problems, can anyone help?

Foothold was very tough for me, after that it went really smooth. Learned a lot of small things too. Thanks for this box!

Had a lot of fun with this one.

Was definitely a box I had to come back to as the foothold was a bit challenging.

Can someone else who has rooted this message me to compare methods?

I feel the root was very easy to get compared to the foothold and user. I’d like to compare methods used.

Thanks @clubby789 for creating this box!

wfuzz only gives me a few special chars and i***x.html. Am i missing something? i did see some files in iges but not sure if that was a rabbit hole.

Type your comment> @walk said:

wfuzz only gives me a few special chars and i***x.html. Am i missing something? i did see some files in iges but not sure if that was a rabbit hole.

EDIT: Nevermind found the directory, learned a tiny bit more about fuzzing. my overcomplicating a$$ lmao