Got root shell in non destructive way. Would love to hear how you guys approached root, DM if you’re interested in sharing 
also open to questions if anyone needs help.
Hello Guys, I got user for this machine and now I am on the way to get the root user, I know what is the vulnerability but for some reason I cannot exploit it, someone can help me with the final step
Managed to get both flags. Although this one felt pretty straightforward in places, in others it was a brain melted. It took a lot of enumeration and really understanding the output to get this one. A bit CTF To be fair, not sure why user creds would be where they are in the real world, or why the initial foothold would end up where it is. But a fun puzzle.
Initial foothold, what seems out of place, there are enough breadcrumbs to go deeper. viewing source code of web pages should be standard enum for any box.
For the low priv shell do some googling. You’ll find a pre-written exploit rather than needing to do everything manually. However I found it very helpful to read the blogpost of the guy who found the exploit to understand what was going on. It allowed me to modify the exploit to work for this environment and be a bit more efficient.
Once there more enumeration, read every file that may give you something and use any creds you find to go deeper still, gaining access to user shell.
For root.txt, I managed to read the file, but not yet figured how to get a full reverse root shell (at least not without breaking the box) so if anyone wants to drop me a Pm i’d be grateful of the knowledge.
Not able to find initial password. Can anyone PM me for hints? Thanks.
Hi I need help with the initial password. Can anyone text me,please ?
Thanks
@vno @evilcall make sure both of you look for the password everywhere, even where at firtst sight it’s not suppossed to be. A good way to do that if you are a linux user, would be “mirror” the static files of the website to your computer, and grep for relevant strings.
Not sure if my advice should be considered spoiler…
haha I got it.
Low priv to user:
Enumerate using credentials found
Little Google helps
Hi guys, please confirm that for the low priv escalation from w* user need to use certain CVE and escape from db
Thanks
Type your comment> @Mefodey said:
Hi guys, please confirm that for the low priv escalation from w* user need to use certain CVE and escape from db
Thanks
not needed
Is --chp*-a*****=
Worth pursuing?
Would appreciate a PM about root
I need help with root.
pm about it
Rooted, forum is more than enough for user.
Root is straightforward
Edit: removed spoiler
Is the ba***** file the right way for root ?
Thank you
So I am at the low priv shell, I have enumerated a certain db and have some creds, can someone give me a hint on how to move to the g****** user in the shell?
Practicing locally to get wild for the weekend but stuck with my remote destination. Anyone available to idiot check my syntax?
Edit: Got it, sleep helps a lot
User and Root flags on my pocket!
But… but… was anyone able to get a root shell?
If so I would be happy to talk about!
Any tips on getting root shell? I’ve tried a ridiculous number of tr with --c options and cannot get to call me. I’m pretty sure it is about the absolute/relative paths or the nested directories depending on where crj is calling the original binary from. Please PM with hints or let me know me bounce this off of you to see if I’m wasting a lot of time.
Got a low priv shell but have no idea what to do next, been looking through the files
pm for help pls!
Is the root password crackable? I grabbed shadow the same way I grabbed root.txt. I don’t know any other way of getting a root shell at the moment. Am i missing something?