@bluealder said:
I feel I’m so close to root, trying to exploit the rc command but find a way to either exec code or connect to my local rest-rc server hmmmmmmm
Depends on how “local” your r****c server is 
Got root, but I don’t think it was the intended way 
Pushed at root for a while, found a few possible entry points, but eventually I gave up and used the unintended method. If anyone can give me a hint for the proper one, I’d be very interested!
do not try to crack anything user wise use grep and look forensics wise at your d*r p and when u overlay to something useful you will see the mess of the ctf like setup he talks about
Any hint on user where should i look next, got a file lat*** with hashes and got the _c***** name … don’t know how to proceed from there!
I got root in the right way, now I’m satisfied.
Thank you for the box @thek, nice one.
Got root both ways now, great box I liked it a lot!
@gall0ws @bluealder I’m so glad you liked it 
Rooted, thanks @gall0ws for nudges. Fun box, difficult but doable. Good work @thek. Am curious if this can be exploited to get root shell or just read the flag? I did the latter. EDIT: nvm, I wasn’t looking closely enough.
User:
Enumeration leads you to a new sub. There’s more than meets the eye here; google it. Once you have it, make sure history isn’t doomed to repeat itself.
User2:
Basic enumeration and some elbow grease should give you what you need.
Root:
Look for what stands out in basic enum, read through the files and the commands you’re able to execute which maybe you shouldn’t. Google from there.
@east You’ll get the root shell if you don’t aim just at the flag.
anyone message me. how i can get a shell… i stuck in dirb…
Rooted very fun box.
User part it very fun in this forum has enoung hint.
Root part take your time to understand , What you can do.
We can got root 2 methods.
Very easy and hard but not much.
Manual document is the best friend.
Trick : root shell it has a little bug just look carefully.
Rooted.
First hard box. I guess i did root it the intended way? It seemed like it, can someone pm me what the other method is? Just curious.
For user much thanks to @backslasht for a the hint
A little CTF like, but had fun all the way! Thanks @thek !
Could someone give me a nudge? I have found a hash inside a file, but struggling to find the salt that corresponds to the hash. Is that even the right way?
Type your comment> @idomino said:
Could someone give me a nudge? I have found a hash inside a file, but struggling to find the salt that corresponds to the hash. Is that even the right way?
I got the plain text from it, but to be honest with you, I just wasted time there. You can own the machine without using B***t.
I can’t really get a hold of this machine, I found some dirs, a domain (with d****r), and a web app but I’m clueless as to how to proceed further.
EDIT:
Managed to get a cert file. Needing a key (i think).
Can anyone pm me a hint for root. Tons of enumeration but not seeing it.
did the box just got patched?? The way i did root, does not work anymore. But that was the fun part 
Hi, I would appreciate hint for root :), Thanks