Official Meta Discussion

Hey, thanks. Rechecked my exploit and found a silly bug :rofl:
Got root! Nice machine!

I can confirm that. Spent the last hour and a half trying to understand why the exploit wouldn’t work, reseted the box, and it worked on first try.

Can you please stop dos the machine!!

thank you.

Hello everyone on the box :slight_smile: ,
I did managed to get working exploit but it sims like problem on the box can you vote with me to reset it?


Hi. Im strugling alot with the id_rsa key. Anyone else have problem with this?
Load key “id_rsa”: invalid format
Anyone else had the same problem . Dont see any way to go further without using the key

I have exactly same problem. Did you solve it ?

Check that the file is formatted correctly. The expected file format is:
— XXX —
— XXX —
newline here

Easy to mess up and somehow remove the newline, when copy&pasting, happened to me, too :slight_smile:

1 Like

My first medium box. Now rooted. It certainly was a step up and I struggled on each step.
Foothold: I ran my standard enum and found nothing of interest, even set some stuff because of something I read on the webpage…nothing. Then I thought of another enum approach due to the info on the webpage and fuzzed my way to something interesting. This will now be a default step for each box going forward. Overall…it took me over a day to come up with the idea.
Foothold->shell: About the only thing that was straightforward for me. Googling brought me to the promised land fairly quickly.
Shell->User: I had the basic idea quickly but it was fiddly to pull off. Took me a long time to actually find the attack vector though (I will run this tool always in the future…combining it with timeout 3m is useful). The blog post that writes up the basic attack was very interesting, I learned a lot.
User->Root: Found the basic attack vector on the previous step already. Took me quite long to actually put the required pieces together. Thankfully the first thing I always check after getting user already contained helpful information and basically all you need. That being said…it was almost a full day until it clicked.

Finally rooted my first medium box.

I learned a lot ! Won’t add to other hints as they say plenty already.

Message me if you are stuck ! :slight_smile:

This was a really fun box to work on. It’s not very heavy on the enumeration side; the vulnerabilities are mostly technical and exploitation is deliciously elegant.

Foothold. This is basically the only real enumeration you need to do. Remember that you can enumerate more than just directories. Once you’ve found it, notice that the server output is suspiciously similar to a certain well-known tool. This tool has a very nice vulnerability you can exploit to obtain foothold. There’s a couple good write-ups about this.

User. Once you’re in, do some basic enumeration. The thing you’re supposed to do here is a part of every enumeration checklist, so it should be easy to find if you don’t know what I’m talking about. You’ll come across another tool that has a similarly tragic reputation. Be careful, though: the server likes to take your toys away, so be sure to put them somewhere safe.

Root. Again, do a very basic thing that’s part of every privesc checklist. You’ll discover yet another tool that’s very popular in certain circles. Read up on how it works, combine this with what you already know about the user and the path to root will be obvious. You might encounter a small bump in the road here, but this is easily solved in the obvious way because the server is just really insecure.

I have no idea why I’m getting an error trying to connect through ss*, Permission denied, invalid pk.

Not sure what to do here.

Edit: Fixed issue by reformatting the downloaded file. Seems like its obfuscated or something?

I have no idea how to get User,
I was able to reverse shell as www-data, but I have no idea how to escalate privilages to th****.
Can anybody help me ?

Hi for those who have the issue about the formt of id_*** take a look at your loal id_*** file and format it in the same way…

I got user but I’m having a hard time with r00t. Do I do something with the conf file? Can someone give me a nudge?

I’ve found what I need to do to get user, and have successfully tested it both in the foothold and locally. However, while the system reports the commands to be running, I cannot even create a file in /tmp. Does anyone have any nudges?

I got it guys! I just needed to try harder :slight_smile:

Hi, it seems to me that the vulnerability was on exif on php side. I try to upload several image with modified metadata but the code not seems to run. Can you help me?

A really enjoyable box with no traps. Particularly liked the root path.

Thanks to the creators for taking the time.

Having trouble with foothold.
E*ift**l reverse shell works locally with version 12.23, but won’t work when I upload my image to the server. Am i using the wrong exploit?

Edit: I think there must be a step inbetween the RCE and foothold I haven’t quite grasped yet

Edit: There is not, something was wrong with my payload :stuck_out_tongue:

I think the box needs to be reset. I’ve just got root before getting user in a single, simple command.
Is this intentional? Surely not…

Edit: After resetting the machine bash is nolonger SUID root… yikes :sweat_smile: