Finally gain root access. Everything you need is already on this forum. Feel free to ask if you need help…
i got m****p***** Sh**l but have no idea how to find user and escalate privilage
The dirty thing exploit doesn’t work because sna* version is superior, but you can extract the payload and create a sna*. I faced a problem with existent dirty user so need to unsquash the sna*, edit commands removing user and group and recreate the sna* with mksq*. There are precise arguments. Search on internet.
Rooted, fairly easy machine, too much data can be intimidating and thus I went on wrong path sometimes, but overall a nice fun machine.
Foothold: name and tech
User: check for important thing and no need to leave the current dir
Root: You could be as strong as you want
PM if you need help
i learned new privlige method. :
Research more!
sometimes some files are easy to read. However, using that information in a ready-made system may require some research.
And Python is awsome
Getting on to the machine was a piece of cake using a certain known Kali tool.
I’m not going to lie I had to get some help to root this machine. I’m not sure how this is a easy box but wow you need to think outside the box.
Basically when you come across the command to exploit, you will come across something interesting in your research, you can use this to CRAFT something simple as others are saying. Don’t over think it like i did. Just check what it is doing and then go from there.
i got a problem after installing file.s*** the d*s user not exist anyone knows how to fix this?
I found a pretty handy shortcut in this box by accident / diligent background scanning. Don’t underestimate the power of brute force sometimes, is all I’ll say.
Rooted.
For me the hardest part was user. I thought m***l is the wrong path since it didn’t give me any output.
Took me hours to figure out that i just have to ‘exit’ to see the output 
Root was kinda straight forward. A lot of potential to overthink but i didnt fell for it this time 
Feel free to ask me for nudges.
Done!!! Have to reset the machine twice but it worked.
I juts got User flag on this box. Now going for root.
Pepe
Hmm, I got root now but just wondering if I got it as the result of someone else modifying some permissions for the normal user. I will reset the machine and see if that does the same.
Pepe
Yes, I was right. I reset the machine and then I had to do the right escalation to obtain root. Very interesting. Flag obtained.
Pepe
I found the public exploit but I need to be authenticated. however, i can’t create a user. it says contact the site admin.
Hehehe not bad
[root@armageddon /]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@armageddon /]# whoami
root
[root@armageddon /]#
Rooted. User part is a bit tricky, you first easily get a shell with another user. Then enumeration again from that shell, involving some knowledge/research about the framework. Backend CMDB took me a while to work with from the limited shell, and I had to crack a password.
Once you got the user foothold, the path to root takes less than 2 minutes, it’s very common and easy to execute (thanks GTFObins).
Finally rooted, I found the root easier than the user, after getting to syntax correct.
Tip for user: if you cant connect to the DB and have been the username you need already, simply use the many headed beast tool on another service!!
fun box
Foothold:
- some enum and close attention to the webapp version
User:
- ask John or his cat
Root:
- GTFOBins
PM for nudges
Rooted! DM if u need help
Stuck on user, found the m**** creds, but unable to get output from the service…a few people mentioned using the three headed beast on the other service so might try that. But pulling my hair out trying to conquer this m**** route. ughhh any help with that path is much appreciated 