Official Awkward Discussion

system · October 22, 2022, 3:00pm

Official discussion thread for Awkward. Please do not post any spoilers or big hints.

RubikCuv5 · October 22, 2022, 6:59pm

Good luck everyone

JacobE · October 23, 2022, 12:40am

EDIT: Turns out that the box has been patched. No rabbit holes anymore I guess.

Rooted. Like last week, this box has a giant rabbithole. Again, I might be missing an alternative path. However, I really doubt that. Looking forward to the writeups I guess.

Zerox9137 · October 23, 2022, 11:12am

Can not get R** from **k, is this rabbit hole?

JacobE · October 23, 2022, 1:00pm

Not sure what you are talking about. Shoot me a DM.

cybertank17 · October 23, 2022, 4:02pm

I think I fell into this rabbit hole that @JacobE mentioned earlier. However, if that’s not it I have no idea what is. Any nudges?

JacobE · October 23, 2022, 4:02pm

DM me what you tried

coopertim13 · October 24, 2022, 3:38pm

A patch has just been released for Awkward.

HINT: There are basically 0 rabbitholes for this machine, everything exists for a reason

If you’re keen, I’d have another look and see if you can get it the intended way too!

Note: The patch won’t show up until the box has been reset, so ensure you do that first!

shox161 · October 25, 2022, 9:41pm

Great box, intended path was interesting and I learned a lot. Had not done many of those exploits before.

nullb1te · October 26, 2022, 9:45pm

Great machine… i liked it a lot… and i was able to learn few things. For anyone stuck feel free to drop me a PM

Jocker · October 27, 2022, 4:02am

Stuck at form page anything i try its said blacklist character

Zerox9137 · October 27, 2022, 9:44am

That’s a rabbit hole, you don’t need bypass it.

BluesyPompanno · October 27, 2022, 6:25pm

Anybody knows how to exploit the awk command ?

Peter · October 27, 2022, 6:28pm

Any help with initial foothold?

Zerox9137 · October 28, 2022, 9:28am

You dont’ need.

sussyb · October 30, 2022, 6:34pm

I spent a few good hours trying to get the last step to work (root). I eventually figured out that the service hangs whenever it has been exploited and it’ll remain like that if we don’t clean up after ourselves. After some waiting and a restart I was finally able to get the root flag, but the service hung again. I’ll be cleaning up after myself, but I’m posting in hopes that the machine creator can figure out a more permanent solution.
@coopertim13 - PM me if you need more info.

robinas · October 31, 2022, 11:18am

This box has a lot of breadcrumbs to find in order to get access as user. There is something you enumerate quite early on which only becomes relevant once you get user. The escalation on several places gets a bit redundant, but was able to learn a lot from them. Take note of stuff as you go along as they all end up tying back towards the end.

flymomike · November 24, 2022, 9:29pm

How do you figure out which template is being used to leave the right request?

UDrinkincoffee · December 11, 2022, 9:08pm

Any hints on foothold for this machine.

Thanks in advance y’all

dylvie · December 15, 2022, 12:05am

A (not easy) medium machine at least for me. Who said there’s no rabbit hole? Some things supposed to work doesn’t work. Is it because it was patched?

FOOTHOLD : don´t be fooled. Login to the web app to see the code somewhere. Read that machine name many times. You have to read files from the box to get the juice.
USER : well, just login and grab flag.
ROOT : ongoing. Something to do with an alert script. Find what is going on in background.