Official Luanne Discussion

wow, this and laboratory are kicking my butt!!! any help would be kindly received !

Finally rooted,stuck for a long time,some tips:
1.Get a good Dicts,if you don’t use kali linux.
2.Enumerate…and look up information.
3.Watch out any information you can get.
4.”Guess”….,something you got before maybe is useful.

Spoiler Removed

managed to get root. very interesting box - I learned a lot. foothold was the hardest, mainly figuring out which characters to use to escape the parameter. after that the path was fairly straightforward, although I overcomplicated things with root. thanks @aio for getting me out of the hole.

thanks @polarbearer for a great box.

Spoiler Removed

@unkn0wnsyst3m said:
Type your comment> @balkan said:

any hint? im stucked in /w******/f*******?c***=l***

if you are an english speaker this is a huge spoiler…how the heck did you guess that???

never mind, dangit!

Finally rooted :smiley: thanks for the box @polarbearer
If anyone need a hint, DM :slight_smile:

Finally rooted the machine, it was a fun box.
Initial foothold:Enumerate properly and try to think how you can close what the computer started and then make it do what you want.
User: What is this guy doing
Root: home dir has the key to his power

Thanks @camk and @trcm for the nudges

PM if you need help

can someone give me a nudge on the ‘c’ parameter? I understand the concept, i understand how to theoretically do it, just would like some help with the methodology used to discover it and to achieve the end result. thanks team!

Type your comment> @trcm said:

I hate having to load up BURP every time I want to encode a string…
I found curl -G --data-urlencode "param=value" url helpful!

@bw00lley thanks, I also discovered a similar (but longer!) curl method :

$ curl -Gso /dev/null -w %{url_effective} --data-urlencode @- “” | sed -E ‘s/…(.*)…/\1/’

But the shortest I found was simply :
$ jq -sRr @uri

Fairly enjoyable box - I can see why it was rated easy but there were some gotchas for people.

Pretty much all the good tips are already in the thread. All I can suggest is understand the OS a bit as that really helps. Two steps are very specific to that environment.

Pff. Somebody copied root flag to /home/root.txt with 777 perms :lol:
Can’t rm it, still doing user - restarted the machine.
Please be mindful guys.

Rooted

uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)

Restarted again to clean it up.
DM if you need a nudge.

Rooted. This was a fun box and thanks @polarbearer
If anyone needs a hint, DM :slight_smile:

Jeez, I needed handholding through getting user. Foothold and root were OK but I could not work out how you would know how to get user. I guess you just need to try that every time!

Type your comment> @bw00lley said:

Jeez, I needed handholding through getting user. Foothold and root were OK but I could not work out how you would know how to get user. I guess you just need to try that every time!

haha can you hold my hand to pay it forward? lol to me the next logical step is to exploit a similar looking service but running with user perms…but it doesnt seem vulnerable (i feel like i have new creds but am unable to find where and how to use them!)

Type your comment> @unkn0wnsyst3m said:

haha can you hold my hand to pay it forward?
Have sent you a PM.

so I’m stuck as the _h**** user and can’t get user. Any hints please DM. I can explain what I’ve discovered so far.

@s3gf4ult said:

so I’m stuck as the _h**** user and can’t get user. Any hints please DM. I can explain what I’ve discovered so far.

This is possibly one of the more challenging steps.

The place you’ve landed has what you need to access a resource you couldn’t previously access.

Now you are inside the wire, you can access it differently and through some command line requests, you can get it to give you what you need to get a real shell.