Obscurity

cy63rkin9 · January 25, 2020, 3:14pm

Got sss.py server file page .
found the hole in function.
I tried python re***** s****
Understood formatting , and tried locally. Its working. Got shell locally.

But i am trying same thing in obscurity via browser, burp both i got nothing.

help me.

HashCrypto · January 25, 2020, 3:29pm

Which is faster?bash script or python script?

cy63rkin9 · January 25, 2020, 3:38pm

@HashCrypto Bro. Bash and sh both Working in my local server only.
I got nothing from Obscurity.

SadParad1se · January 25, 2020, 9:35pm

Great box. Thanks @clubby789!

Gwyomarch · January 26, 2020, 12:05am

Foothold: OK.
User: Lost with py script and the “1 + x = 2” files…

Can someone enlighten me ?

hansraj47 · January 26, 2020, 1:41am

help a brother understand the vulnerable part of the python script guys, im just stuck here.
I read and understood most parts of it and ive gone over it several times, but cant understand the vulnerable part in the script. lil assistance please. God bless.

fr0z830 · January 26, 2020, 2:05am

Aweome Box. I liked every part of it and i learnt how to REALLY have an obscure thinking :P.

INIT: Take a deep breath. Don’t let your brain getting fuzzed. Try to think on the p thing.
User: Oh boy you need a zodiac to solve this.
Root: Typical Privesc. I’ve seen it in many boxes around here. If it works then it can work with something else or somewhere else.

Turreted · January 26, 2020, 4:39am

Finding the initial script was a pain, but everything else was pretty fun. This box requires a decent understanding of Python, and isn’t something you can just searchsploit your way through. Overall, a great box.

PM me if you need help!

n00py · January 26, 2020, 10:47pm

rooted this one.

Was a nice one, not so easy for me. Lost myself in fiddling a py script to get user credentials, but finally got it.

Every hint was already given in this forum but one little extra might help someone: read the format for the arguments of a script very carefully! One might be a file input while the other requires plaintext. Result might be messed up if not done right.

Root solved with a little bash script. Was the easier part for me.

If you need a little nudge feel free to send PM

M3rlin · January 27, 2020, 3:05pm

Fun box. I very much enjoyed this one.

Foothold: All the clues are available, but what do they actually indicate? Once you work out what needs to happen, there are many tools available to accomplish the task. Pick one and have at it. Once you gain the juice you’ll need to understand what you are looking at in order to take advantage.

User: Enumerate. Then digest what you find. You’ll need to be a beginner at PyFu. Only a beginner though. No writing required at all, as long as you really can read.

Root: At this point, you’ve probably got the gist of what clubby789 is trying to teach us. This last snake has thrown security to the wolves! Good news for us though eh? At this point you may choose to develop your own solution to the problem.

Good Luck!

HashCrypto · January 27, 2020, 3:52pm

@msraja bash was slower than python when I tried it in obscurity…but google says otherwise. Try python to do your thing

D0mBruise · January 27, 2020, 4:47pm

Hi,

Found the SSS.py file, as well as vulnerable function, but I am having a hard time figuring out how to get RCE.

I understand that .f##### is what is rendering the payload escaped, but couldn’t find a way to bypass this thus far.

Thanks to let me know if I am missing something.

EDIT: Found the problem, thanks to ch3ckm473.

I didn’t encode enough, and using the browser instead of Burp did the trick. I then caught what was causing the issue to be aware of it for the next time.

Thanks ch3ckm473 and msraja whom reached out to assist.

cy63rkin9 · January 27, 2020, 8:11pm

Type your comment> @HashCrypto said:

@msraja bash was slower than python when I tried it in obscurity…but google says otherwise. Try python to do your thing

Ok Bro. Got it. Thanks.

lhh4sa · January 27, 2020, 10:29pm

I have figured out how to manipulate the server into executing code, but I am having a hard time getting it to pop a reverse shell on my machine. the usual commands are not working, can anyone help me out?

F0rtyW3igh7 · January 27, 2020, 11:06pm

trying to get the initial foothold. drib, gobuster, wfuzz ffuf, all bomb out “empty reply from server” just requested a reboot and same issue. Anyone else?

*edit, wrong syntax.

F0rtyW3igh7 · January 28, 2020, 12:09am

deleted.

Alpha19 · January 28, 2020, 1:45pm

still stuck at finding the secret directory… any hints? pls PM

Edit: got it

D0mBruise · January 28, 2020, 6:09pm

Type your comment> @Alpha19 said:

still stuck at finding the secret directory… any hints? pls PM

Hi. If you found the file name, maybe including it in your research would prove to be helpful…
ffuzz or wfuzz are better for these kinds of assessments.

0x4e54 · January 28, 2020, 7:02pm

I am very lost with getting root… been staring at this script for days and not quite sure if something is missing on the server… like the folder that the script is supposed to write to keeps erroring for me… and i can confirm its not there so… idk

EDIT1: okay so i was able to get the script to run and grab the thing that is very short lived but… kind of lost as to what is going on after?

EDIT2: got root but… i really dont think it was the intended way?!? haha ah well

alexmore8 · January 28, 2020, 10:46pm

ROOTED