I couldn’t figure out how to do it any other way.
I fianlly rooted this box, thank you though !
Hey everyone, could anyone give me a nudge for the foothold, i’ve found the vuln but I have trouble understanding how to exploit it in this context.
nice box, never did the thing needed for user before, but I eventually managed. but holy root was well kinda free? 
It’s a really good box ! But I’m still stuck at initial foothold 
. I managed to download the dll and disassemble it with dnSpy, I think I have understood the code and the potential vulnerability but I’m not sure. Is it related to deserialization or reading file, most blog post explaining the vulnerability works for Windows and not Linux.
Edit : I rooted the machine ! I spent some time mastering the vulnerability and his concept, but I learned a lot
why when i try access whit ssh whit the rsa it gave me this error :
key whit perm at 600 give me this
Load key “id_rsa”: error in libcrypto
and if i change perm at 6000 give me directly access denied and this :
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
p.s. since the key came out basically in one line whit varius ‘/n’ i tryed to remove all of them manually and not nothing i cant get into P account whit his KEY…and i even checked varius write up online to see if the key is the same and the key is her …
what can it be ? ? ? miscofig of ssh ? wrong key format ? im going mad
1 Like
I have the same issue. Did you solve it?
watch out for the format you got private key in, specifically replace “\n” with actual newlines 
I went down a lot of rabbit holes before getting user, very tedious but I learned a lot, root was a piece of cake in comparison.
i did that but didn’t work for me
i still get the same error " error in libcrypto"
i tried full path. relative path, moving it to my .ssh, changing to 600, changing to 400, deleting last line, failed to convert it with ssh-keygen, i tried to paste it directly to the command, i tried to make it one line and save it… putty didn’t work, gssl deactivation didn’t work…, changing directory’s pr to 700 didn’t work
nothing works
Hi! can you maybe help with this?:
I downloaded the private key and try to connect with ssh. I get the same error again and again: " error in libcrypto"
i tried adding full path to the ssh command. relative path, moving the key to my .ssh directory, chmod to 600, chmod to 400, replacing \n with newlines, deleting last empty line of the key, failed to convert it with ssh-keygen, i tried to paste it directly to the command line, i tried to make it one line and save it to a file and use it… putty didn’t work, gssl deactivation didn’t work…, changing directory’s pr to 700 didn’t work
nothing works 
I searched for the error out of the context of ctb and I didn’t find any answer that works as well
1 Like
Hello 
But are you sure you used the right key? It should be id_rsa 
The end felt kinda rushed but other than that… a really nice machine! Reversing code is always a great plus.
hi the solution to my problem with the key was that replacing the \n caused some issues. make sure your key has 38+1 lines
If you can’t download the dll. Maybe you have invisible ‘\0’ char in your request in the Repeater.
You can click “\n” in Burp Repeater to see them, or just use your web browser that will remove them. I did loose a lot of time to these.
you actually don’t need burpsuite to download the file. Just type the right url in the browser.