Official Doctor Discussion

I got the login page!! … let’s keep going !!..

Definitely not a beginner box…

got local shell but stuck in root :frowning:

finally got the root! PM if you need nudge

What’s up with this hash? Looks like BCRYPT but hashid says it can’t identify it

Need nudge for foothold

Type your comment> @LMAY75 said:

What’s up with this hash? Looks like BCRYPT but hashid says it can’t identify it

Box maker egotistical said the following in discord:

“Just fyi, no bf or cracking required
If you’re cracking open rockyou you’re doing it wrong”

Type your comment> @cool4coder said:

Hereby I would like to nominate @egotisticalSW officially for the troll-of-the-month-award for outstanding achievements in the field of hacker/pentester/itsec-researcher deception during recon.

Those who found their way to foothold without a hint or nudge from a third party should be rewarded with an hawkeye-badge on their user profile page.

lol

foothold : stay low & basic enum
user: id
root: go higher

Got User, root is next :slight_smile:
For User: Enumeration is really the key, but if you need a hint, DM me here or on Discord

For everyone who is struggling just check out the ART image of this box. That’s a big hint.

Rooted, Knock my inbox for hints. But describe where u stuck.

Anybody took a look at the machine’s OpenBSD Secure Shell server after rooting and interested in discussing the modification @egotisticalSW has done to it with me in PM?

Getting user was more challenging than I’d expected and now the “release arena” session keeps crashing out on me.

Anyone can help me? I’m stuck after logged in

Quite a fun box! There are multiple (intended) ways to get user and root, so don’t be confused if a hint here doesn’t make any sense for what you are trying.
Feel free to send me a pm if you need a nudge, but please tell what you have already done, and where you are stuck :slight_smile:

Spoiler Removed

@LMAY75 said:

Root: Try your original exploit idea again.

Good advice - interestingly I tried it first as well, took me a while to give up on it and look elsewhere.

“root@doctor:/root# hostname && id && whoami
hostname && id
doctor
uid=0(root) gid=0(root) groups=0(root)”

Nice box!

The foothold was def tricky. After I did it I was like: Really?!?!

Spoiler Removed

@wazKoo said:

Wondering how people discovered the 1st exploit S**I on that page. Since it was kinda blind not knowing how to trigger and check the result

Not sure what S**l is in this context. The first exploit I used wasn’t blind. You could see the response in the next page - it’s just that sometimes the browser hides that type of data from the rendering engine.