For those trying to get user: If you are stuck and lost, try to find exploit on github 
4 Likes
this one put some hair on my chest. iām still making stupid mistakes and overthinking/underthinking the wrong things but this machine got me to a good place. let your eyes adjust to the dark and youāll see a nice line of breadcrumbs.
is somebody having issues to get root flag?
I tried to escalate using one vector that the enumeration showed to me, but no luck. Also, the usual sudo -l that I always check. the command returned this message:
matt@pandora:/tmp$ sudo -l
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to initialize policy plugin
PS: even after reseting the box, the issue persists
i had similar issues w a certain user until i got a more stable shell
finally rooted. definitely, you need a ārocky stableā shell to get the job done to achieve root. otherwise, well you will see it
foothold: enumerate and walk through your results.
user: The hardest part. once you are in, keep enumerating, google it, understand how to get in and exploit it
I canāt agree more with previous commentary: this is the āhardestā easy box that Iāve ever done here.
good luck
To everyone suggesting using an ssh session when trying to root, does it not prompt you for a password?
Even though Iāve dumped by ssh pubkey in m***'s authorized_keys - it still asks me for a password when i try and ssh in
Chmod 600 the private key
permissions are all correct on both the authorized_keys file and my own private key
Edit: my b, there was actually a permissions issue on the remote. thank you @alemusix
finally done! root was quite funā¦ user was a bit too much for an easy box IMO.
regardless, a fantastic box!
Even though it turned out to be the permissions for you, what cost me some time was that the very basic shell I got through the exploit was only a frontend for the webshell and every ā+ā in the public key was replaced with a space before it was written to the file. I had to URL encode them. Might be helpful for others.
1 Like
Iāve got root on the box now, but would be really curious to know if anyone can explain why you need to āupgradeā your shell before you can exploit the vuln?
(Iāve got a theory but Iām not 100% convinced Iām correct).
i echo @cascade, iād love to develop a better understanding of what exactly the limitation was with trying to escalate a certain user from an unstable shell
ā¦ and rooted
That one didnāt resist long 
Nice and easy one! Thx to the creators
Very simple :
ssh -D {a port on your local machine} stuff@target
(without the brackets obviously 
)
And then use proxychains4 : (you have to add the opened port passed to ssh -D in the config file of proxychains if I remember)
proxychains4 your-browser
And in your browser , you go to http://localhost/
3 Likes
EDIT: Got root! if you stucked on root look at github
Guys, I got hashes from DB for the second user. However, I cannot crack it with rockyou.txt, do you have any suggestion?
There are 2 ways for user. Unintended way has fewer steps in order to gain RCE.
Sorry to bother youļ¼I want to know that session is one of them, rightļ¼
Because I can only find Matt right now
This forum is so confusing. Literally donāt know what reply Is for main thread and what is for private message. I think you accidentaly posted this in the main thread xD
4 Likes
Hi wasting time for 7 hours and i am very new to this. How to open this Pandora box, any hint will help. can anyone help me in PM?