Official Academy Discussion

I am having trouble accessing the webpage for this. I was running into walls so I looked up a walkthrough to get me pointed in the right direction and seen that I should be able to access the webpage which was throwing me off. I can ping the box and was able to scan it but when I type the IP into the address bar, the redirect kicks in as it should but sends me to a page not found error. I have reset my VM, tried numerous servers (both US and EU) and have started a new instance of the machine itself and every time I get the page not found error.

@Op3nRec0n said:

I am having trouble accessing the webpage for this. I was running into walls so I looked up a walkthrough to get me pointed in the right direction and seen that I should be able to access the webpage which was throwing me off. I can ping the box and was able to scan it but when I type the IP into the address bar, the redirect kicks in as it should but sends me to a page not found error. I have reset my VM, tried numerous servers (both US and EU) and have started a new instance of the machine itself and every time I get the page not found error.

If you look at the nmap output it shows a domain name. Add this to your hosts file and visit it.

Just rooted. Thanks for all the advice in this forum. Let me know if you need help.

done, was a nice box! if anybody need a hint, let me know.

So, dumb question, Iā€™m new to this.

How are you all using scripts on the target box? I have tried to curl scripts from kali and curl is definitely working, but I canā€™t send the output to a file, even in directories where I have write permissions. It also doesnā€™t look like I can use the touch command.

Iā€™ve tried both of the known exploits (p***** and ma***) to pop a shell but it doesnā€™t seem like I have access to a lot of commands when Iā€™m there.

Getting kind of frustrated at this point because I have ideas about what to do from here but no way to execute them with the limitations of the shell I got from running the exploits.

Type your comment> @flanneljetpack said:

So, dumb question, Iā€™m new to this.

How are you all using scripts on the target box? I have tried to curl scripts from kali and curl is definitely working, but I canā€™t send the output to a file, even in directories where I have write permissions. It also doesnā€™t look like I can use the touch command.

Iā€™ve tried both of the known exploits (p***** and ma***) to pop a shell but it doesnā€™t seem like I have access to a lot of commands when Iā€™m there.

Getting kind of frustrated at this point because I have ideas about what to do from here but no way to execute them with the limitations of the shell I got from running the exploits.

not sure exactly what you mean. but you can host a mini python server on your kali box with python3 -m http.server and then use wget and such to pull files like that usually. if you have any specific questions or want to explain what youā€™re trying without spoiling you can PM me.

@flanneljetpack said:

So, dumb question, Iā€™m new to this.

How are you all using scripts on the target box? I have tried to curl scripts from kali and curl is definitely working, but I canā€™t send the output to a file, even in directories where I have write permissions. It also doesnā€™t look like I can use the touch command.

There is a lot wrapped up in this and ā€œnot workingā€ covers a range of situations. It depends on things like how you have your shell etc.

The most likely cause is a syntax issue, but without knowing what syntax you use, its too hard to guess if this is the case.

If touch isnā€™t working, there should be some form of error - is it that the command isnā€™t available or does it complain about permissions.

The specific error messages might point at the problem / solution.

Iā€™ve tried both of the known exploits (p***** and ma***) to pop a shell but it doesnā€™t seem like I have access to a lot of commands when Iā€™m there.

You should have an interactive shell which allows you to do the things you need, but I donā€™t recognise either of those two phrases for this box.

Getting kind of frustrated at this point because I have ideas about what to do from here but no way to execute them with the limitations of the shell I got from running the exploits.

In general there are a few ways to get scripts on to a box, but if you donā€™t have any write permissions anywhere something isnā€™t working. This box doesnā€™t have a jail.

The good news is that you donā€™t need to write anything or run any scripts to get the user flag on this box. If you can ls and cat you can get user, once you have user you can access via a different port and have a stable shell. Enumeration scripts are likely to be misleading.

First box without help and forum hints :slight_smile:

# whoami;id;ifconfig
whoami;id;ifconfig
root
uid=0(root) gid=0(root) groups=0(root)
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.215  

Iā€™m always happy if someone helps me or if I find a decisive tip here on the forum, so here are my two cents.

Foothold: look carefully at what you can find on some pages and in particular what you can manipulate. This eventually leads you to a new destination.

After some google fu you might find something interesting to try.

User: the most basic enumeration, as you should always do with web applications, this may lead something.

Root: now is the time for (world) peace. It tells you something, very clearly.
Donā€™t make it more complex than necessary, do some basic stuff in combination with googlefu.

If you need a nudge, feel free to send me a DM with what you have so far.

Need a bit of nudge guys. Got a foothold and have been enumerating quite a bit. Found creds in a config file thanks to nikto pointing out the file, but have tried mysql from the shell, tested reuse for that password on other found accounts in enumerating home dir, and reading through grep results and so on. Would appreciate some guidance, probably overthinking this.

EDIT: Nevermind, completely missed a certain file in academy
EDIT 2: And rooted, learned quite a lot from this box

just rooted, took me about 7 hours in 4 days. Not my favorite box here as I personally dont like challenges that involve eyeballing stuff and exhaustive searching. HOWEVER - this sort of exercise is excellent and an absolute necessary skill to have, so kudos to @mrb3n and @Cry0l1t3 for the box. Good tips here but super tricky indeed.

foothold: The app throws all kinds of curve ā– ā– ā– ā– ā–  at you, so observation is important. Take a pragmatic approach (go for the low hanging fruit/app). Watch how it works. Use tools that help you intercept those requests between you and the app. Once you figure out, the app will cough up pieces of information that will enable you to get further. One big hint about its weakness is found in the rating matrix. You can use the framework but maybe not if you want to treat this like an OSCP box :wink:

user : as I mentioned before, and so have other people, this is quite possibly the most frustrating part unless your g*rp and enumeration skills are strong. Read up on this, a lot! your enumeration scripts will help but bear in mind the access you have - the better access, the better they will work. So if you have a weak shell, keep looking around in places where web admins/devs leave their secret stuffs. lots of ā– ā– ā– ā–  to wade through, so precise and recursive slicing and dicing is vital.

root: not as straightforward as some people pointed out (a matter of opinion, tbh). This is because you are looking for a suer, i mean user, who can invoke the power - but there is more than one of those users :neutral: . If you find that user, then research what he/she can do and how to escalate out of that capability

Rooted in under an hour, box is far easier than some are giving it credit for. It re-inforces basic skills that can be often overlooked.

Foothold: As I said, the basics will do. There is nothing hard at all, just remember the first steps youā€™ve (probably) learned. Keep to the low-hanging fruit here.

User: Enumerate is key, but donā€™t look too far, there might even be some hidey-holes around!

Root : Check if you are allowed, and if not, maybe someone else can help you?

Finally rooted.
Quite often with boxes, You donā€™t know, what you donā€™t know. So the real skill here is to be able to follow small subtle bread crumbs and research the ā– ā– ā– ā–  out of things that you come across.

Foothold
Examine how the website handles your registration. Become some1 more powerful. When you have this power, you no longer share the same entrance as mere mortals.
Find a new place. Research what you can do with certain things if they are ever leaked into the open.

Not using MS will force you to examine the POC code and understand what is going on. You will need to make changes and put some reinforcements in the right place.

User1
How does a website add new users to their database? Look around. Then do something for lateral movement.

User2
Was on this for ages. Grepping for I donā€™t know what!
You have more power to see things. Before grepping, research this new power on the thing that you just did to get here. Now you should know what to grep for.

Root
You got this far, finish it.

just reset the box on us free server, turned out someone removed stuff that will lead to user flag, i wasted my day on this

cold

edit: got root, been misunderstanding how s*** powah is configured for months (group name vs file), hence spent hrs trying to hop to yet another user before getting root lol

Iā€™m back :wink: @egotisticalSW thanks - nice machine. Rooted it on time :smiley:

Finally:

hostname

academy

id

uid=0(root) gid=0(root) groups=0(root)

I took me a while, but reading here discussion really helps. Thanks.

Rooted
Really nice box , learnt useful grepping stuffs I didnā€™t know

Rooted. Perfect for my skill level, difficult enough without stopping me completely.

Only problem is that I found the mr**n priv-esc only because someone dropped a clue in one of the previous comments.

For those of you that found this priv-esc organically: How did you know to search for c***=**ā€™ ??

Anyone reading this that employed some cool grepping and donā€™t mind sharing, please message me with knowledge! My grep game is weakā€¦

Anyone who did this box without Metasploit?

I did it!!! wohoooo!!! So happy!!! :smiley:

Rooted, pm for any hints etc :slight_smile:

root@academy:~# whoami && id
root
uid=0(root) gid=0(root) groups=0(root)