Official Laboratory Discussion

@Link64 said:

@TazWake I agree but I haven’t found these keys in a “special” folder, or linked to a user .

Probably worth manual enumeration then.

@TazWake I will try to look for more details:)

C̶u̶r̶r̶e̶n̶t̶l̶y̶ ̶s̶t̶u̶c̶k̶ ̶o̶n̶ ̶r̶o̶o̶t̶,̶ ̶f̶o̶u̶n̶d̶ ̶̶̶̶̶̶r̶-̶̶̶̶̶̶̶y̶ ̶b̶u̶t̶ ̶d̶o̶n̶t̶ ̶k̶n̶o̶w̶ ̶h̶o̶w̶ ̶t̶o̶ ̶̶̶̶̶̶*̶t̶ ̶i̶t̶.̶ ̶I̶ ̶n̶e̶e̶d̶ ̶a̶ ̶h̶i̶n̶t̶,̶ ̶t̶h̶a̶n̶k̶s̶.̶
Rooted.
Big thanks to TazWake
PM if anyone needs any nudges.

@Kailez said:

Currently stuck on root, found *****r-******y but dont know how to ******t it. I need a hint, thanks.

Cat tells you what you need. Then you just need to find the right road to attack it.

Finished the box. Have mixed feelings about this. The foothold was okay, there was a common framework which had something right out the box that you had to use, enum would have lead you there eventually. Once I attained foothold, user… yeah, overlooked the simple stuff. Lets just say I have a permanent alias now for listing thing in directories.

Root: I went all catty wompus and apologize for dorking the box twice, but it was an experience.

root@laboratory:/root#id
uid=0(root) gid=0(root) groups=0(root),1000(dexter)

ROOTED!

Type your comment

Finally rooted. My hints :

Foothold : you have a particular service in front of you, no way to exploit it ?

User : this same service is the key, think about what you do with it, maybe about password ?

Root : much easier than user and foothold, look at what can you run, run it and try to understand how it works :smile:

Ok, a few hints to may be make this an “EASY” box…

Foothold:

It’s not too hard anymore, once you know what to target. Someone scripted it I guess. M*F helped me and got the foothold in minutes. GoogleFU.

User:

Go through the comments in the forum, and you’ll know what to do. It’s a two step thing, reset to get access. Download and use to get user. Please remove if this is a sploiler.

Root:

Find that file. Your PATH, your will.

I found the articole about g***** c*****d i******* and I found some scripts on e******* ** but I still don’t know how to exploit it. Can someone help me?

foothold was a lot harder when this box came out right?

if I would’nt have that mts***** m***** this box would have been hell

Hello!
Could someone DM me how to get user on this beast? I read all posts in the forum, but I’m still in the dark for a while now… I got in with the fresh script. I’m the g** user, I know that I am inside a c*******r. I found a private s**-k**, but it won’t work for any known users… Thanks in advance!

@Dzsanosz said:

Hello!
Could someone DM me how to get user on this beast? I read all posts in the forum, but I’m still in the dark for a while now… I got in with the fresh script. I’m the g** user, I know that I am inside a c*******r. I found a private s**-k**, but it won’t work for any known users… Thanks in advance!

The application you are in has a command which archives things and can be used to dump out stuff previously archived and give you some idea of where to look.

Then you will find the thing you need to get the way you are planning.

I need a little nudge for foothold / user

I have a verry limited reverse shell, things like whoami, id , git help are things i can do. Al the rest …grrr…

The (secret) keys wont’t work for ssh even with a tool to convert them . What i am missing??

@mrZapp said:

I need a little nudge for foothold / user

I have a verry limited reverse shell, things like whoami, id , git help are things i can do. Al the rest …grrr…

The (secret) keys wont’t work for ssh even with a tool to convert them . What i am missing??

They are useful for getting an initial shell but that’s about it.

After than you can look at the commands available. The post directly above yours says:

The application you are in has a command which archives things and can be used to dump out stuff previously archived and give you some idea of where to look.

Type your comment> @TazWake said:

@mrZapp said:

I need a little nudge for foothold / user

I have a verry limited reverse shell, things like whoami, id , git help are things i can do. Al the rest …grrr…

The (secret) keys wont’t work for ssh even with a tool to convert them . What i am missing??

They are useful for getting an initial shell but that’s about it.

After than you can look at the commands available. The post directly above yours says:

The application you are in has a command which archives things and can be used to dump out stuff previously archived and give you some idea of where to look.

Oké thanks!

Initiaal shell… check :slight_smile: the other part i will dive in to

getting the error while working on RCE
(irb):48: syntax error, unexpected tSTRING_BEG, expecting do or ‘{’ or '('
can someone DM me for solution i am stuck.

Rooted. Another enjoyable box.

Happy to help.

Hi! Has anybody tried to generate a cookie using the g***** console, for a cookie ser********** attack? How do you write the payload for the reverse shell? It’s trying to run the curl command for some reason. I have no Ru** skills so I’m stuck in this part.