Official Moderators Discussion

Official discussion thread for Moderators. Please do not post any spoilers or big hints.

Great foothold! Shows that things that look random are not so random at all. It appears I am stuck on the next exploitation though… This might hurt my brand, but there is something that appears highly exploitable, but doesn’t call me back. Can someone DM me a nudge on what might be preventing what looks like obvious execution?

1 Like

I’m stuck in the same place. The exploit in question is from 2016, so maybe it’s a rabbit hole?!

1 Like

I am going to assume that it is indeed disabled. You would need a privileged account to re-enable it though I am guessing.

Got the user flag. Box is kind of annoying me at this point :sweat_smile:.

1 Like

Great job. The privesc to user was the most annoying for me. But the rest is quite fun and intuitive. I managed to get root.

1 Like

Got root! Not my all-time favorite box, but I learned a lot on the root privesc. DM me if you need assistance as some parts of the box are a little iffy in my opinion.

Any nudge for escalating to second user ?

If you got the first user then you exploited a certain plugin. Was there something else that you haven’t exploited yet? What additional access does this user have that the previous shell didn’t?

This is so stupid about root access, I don’t even want to waste time on it :laughing:


Had a couple weird issues w/ the box along the way, especially with initial foot hold (root i just realized i was doing something dumb :rofl:) This one definitely tested my patience lol but I learned a couple new things along the way

Feel free to DM if you need assistance! especially if you feel like something should be working but isn’t

Just rooted the machine… what a trip… :smiley:
It was good… it really tested my patience at some moments… however i can say that i learned a few things from it, the most important enumerate a LOT and everything…
Few hints from me

Initial Foothold:
As a start try to find all possible vuln disclosures, one of them will hold a hint, after you find it just look at the format of the name mentioned there and try to “apply” it for all found files, little more enumeration and you will land to the “entry”.
In order to achieve what you want you will have to bypass few filters (all at the same time)

Again enumeration… maybe there is something more running on the box, when you find it dont count blindly on the usual scanners, just find the files on the server and check the p*****s yourself you will quickly see how to proceed.

With your new shell maybe now you have more access to certain files… read the juicy file for the whole installation this will give you access to the backend. From here there are actually 2 approaches one which is easy and the harder one (the one that i took :smiley: ). You can just “force” your way in to the application and have a nice plain view… , or you can get everything from the database and try to reverse it.

For me this was the hardest part(and the one that tested my patience most… ), maybe because it was pretty new thing to do… there is not much to say here… when you see it i guess that you will know what to do.

I hope that i didnt post too much :smiley:
Feel free to DM if you get stuck anywhere.

Anyone else getting the error

mount: wrong fs type, bad option, bad superblock on /dev/sda,
   missing codepage or helper program, or other error

After spinning up the new VM