Official Feline Discussion

NS9 · December 29, 2020, 10:14pm

Hello
I’m stuck at container creation as root@2d****7c,
I have a cl error:
cl: (3) Failed to convert –unix-socket to ACE; string contains a disallowed character
can somebody help ?

damnc · December 30, 2020, 10:49pm

Finally!

Personally, I found that getting user was, frankly, quite easy (even in comparison with some easy and medium boxes). Sometimes, we just need to go the wrong way to find the right path.

It took me a while to pivot, but it was me going down a rabbit role. Once you enumerate it, it’s rather clear.

How to get to root was clear, but I confess I still struggled to escape what limited me. It seems I need more practice on that.

beyounn · December 31, 2020, 6:30am

Nailed it, feel a lot smarter

mkampo · December 31, 2020, 5:24pm

Hello everyone! I have a tough time exploiting the Tt Sn Dn vulnerability. I am uploading files and mess around with the J** parameter in Burp and curl but can’t figure out where the files are uploaded. I would be grateful for any nudges, because surely I am missing some pieces.

Also, happy new year!

TazWake · December 31, 2020, 6:17pm

@mkampo said:

Hello everyone! I have a tough time exploiting the Tt Sn Dn vulnerability. I am uploading files and mess around with the J** parameter in Burp and curl but can’t figure out where the files are uploaded. I would be grateful for any nudges, because surely I am missing some pieces.

Also, happy new year!

Try tampering with an upload. If you take something away, the response gives a path.

f0xc · January 2, 2021, 2:33am

Holy smokes this was one of my favourite boxes so far!

jw0 · January 3, 2021, 2:46am

Any nudges for privesc? I’ve started probing the internal c___yw__i server 172..._ and getting some responses, but POSTing data is just giving me unauthorized. Am I falling down a rabbit hole or just not crafting the right commands?

edit: classic… as soon as I post this I find something new

Rooted. That was sort of a rabbit hole… my advice if anyone is at the same point to look at the other ports that are used to validate that one

undefinednow · January 13, 2021, 7:54am

Just a hint to others. I’d been ripping my hair out for a day because I knew my attack for user was correct but couldn’t figure out why my file wouldn’t upload properly. Make sure you have the latest version of Java installed on your kali machine when generating the payload. Even if you have an old version it will still successfully generate and give you no warning.

d0048 · January 18, 2021, 10:14am

Got user, but rather clueless which path should I take to root. I found some suspicious local ports but got no juice out of it.

Also found a weird bg.png and commented code in s***t.js which when combined leads to cool visual effects but seems unrelated to the box itself. I couldn’t extract anything useful out of the png file itself either, although it is visually different from what it should be.

TazWake · January 18, 2021, 10:38am

@d0048 said:

Got user, but rather clueless which path should I take to root. I found some suspicious local ports but got no juice out of it.

Double check what you have found.

Skim1k · January 20, 2021, 4:57pm

Rooted. Hard mode.

root@b0a43eaddd0d:~# ls
ls
root.txt
snap

cnmprfx · January 21, 2021, 8:22pm

Type your comment> @sm4sh0ps said:

Type your comment> @m0zzare11a said:

Question, for the exploit writeup from a blog about the RE vuln, are we supposed to receive error messages as shown in the writeup? Burp doesn’t return any s***** errors if you direct it to the wrong location for me

From my experience it doesn’t cause expected error 500 for random location. You only see an exception if payload ‘worked’.

This just helped me as well.

x3bra0 · January 24, 2021, 11:53pm

I feel like I’m missing something obvious or my payload is malformed. I’m stuck at fe u****d stage, and could use a hint. I know there’s a C for the library in use, I just can’t work out the exploit

TazWake · January 24, 2021, 11:56pm

@x3bra0 said:

I feel like I’m missing something obvious or my payload is malformed. I’m stuck at fe u****d stage, and could use a hint. I know there’s a C for the library in use, I just can’t work out the exploit

Location might be the issue.

HcKy · January 26, 2021, 1:48am

Finally got around to finishing this.
Had quite a bit more trouble with user than with root.
PM for nudges

FQuen · January 29, 2021, 2:20am

Trying to do this one as my first hard box. I’m pretty sure I know what to exploit and found a blog post about it. Regarding the upload path, I have 2 paths. I tried them both but Feline does not curl back to my machine

0x4A45 · January 30, 2021, 11:12pm

This was a really educational box. I got a bit frustrated as I could not solve this one for a long time. One stumbling block I had to overcome was that I misunderstood some nudges in this thread, about being inside something.

You are not inside something, initially.

If you are stuck like I was: Don’t get frustrated and take your time.
There are useful things to learn here

k1ngPr4wn · February 12, 2021, 3:46pm

I cannot figure out how to find the path… I see the misleading error’s path but do not understand how to turn that into a .s*****n payload

Edit: Found a POC which had the right path in it… probably written for this box. I’m still curious if there was a way to discover it. It doesn’t seem possible after looking through the source code.

gamerkcw123 · February 12, 2021, 8:24pm

Spoiler Removed

Oussmak · February 14, 2021, 7:24pm

I could get the root flag of the machine and i could nc my machine, but i can’t get a reverse shell. is anyone available for some questions ?

NVM: Solved it