Traverxec

luckyUser · March 8, 2020, 6:00pm

what’s the hash type of the pw you find in the hidden place? PM me if it’s a spoiler

nuggz · March 8, 2020, 7:47pm

Learnt something new in this one, happy to help/hint but not spoil for anyone else!

FatB0y · March 8, 2020, 11:53pm

Hey guys, is anybody having an issue getting an initial foothold on this box? I’ve tried both exploits. Pretty sure my commands are correct. This is box #3 for me so I would think my commands are correct by now.
Metasploit = NO SESSION
BASH SCRIPT = forward host look up failed. unknown host.
I have edited my /etc/***** file as well. My ip4 lcl.hb, ipv6 ip_addy traverxec.hb
I did read something about a DOS exploit. If someone launched a DOS that would explain why my packets are not reaching the machine nor returning anything, but the machine responds to a ping. I don’t get it? Any help is appreciated.

FatB0y · March 9, 2020, 12:24am

edit: I gotta nmap it again. I may have missed something.

paidtheprice · March 9, 2020, 5:29am

rooted. thx to @eviltor13 for the nudges

luckyUser · March 9, 2020, 7:10pm

This box tested my patience, to say the least. A lot of the results came from shooting random commands into the dark and hoping for the best. Here are my tips:

user
Read the man page for the service that starts with ‘n’ and pay attention to the part about how it interacts with users via URL manipulation. You may be surprised what you can access with that understanding. Another tip is that even though someone invites you into their home and doesn’t give you permission to do certain things, you can still access other rooms inside their house. You just need to know the names of those rooms and they’re freely accessible!
root
Once you start inspecting the special file close to home, don’t get sucked into a rabbit hole; I fell into that same trap. Instead, realize that there is a section of a certain command that’s arbitrary and seems a little out of place. After you get rid of that, ponder on the thought that “good things come in small packages.” Then you can GTFO, but don’t forget to pack light – LESS is more.

As a side note: user is far more challenging than root. I got root in under 24 hrs and user took me a bit longer. Once you get to the root portion, don’t over-complicate the situation. There is an easy solution to this that doesn’t involve calling your friend John or going over a binary dump with a magnifying glass looking for leaked creds or interesting directories.

Special thanks to @xbforce for the little nudge that I needed, and @GGHaley for suggesting this box after tackling Postman.

LightBulbR · March 9, 2020, 8:40pm

rooted. dm for hints.

secfrank30 · March 10, 2020, 11:53am

Rooted Took me some time to understand the prompt…

WireInTheGhost · March 10, 2020, 7:37pm

I have found a b***s.tgz file, keep getting the error "Unknown command: tar.
" when trying to unzip. Any pointers?

gotroot · March 10, 2020, 9:13pm

Good box with some tricky turns. Try to not overthink it. Root took me a minute to get but ultimately is very simple. PM me for a nudge

sakas4 · March 13, 2020, 5:35pm

Hello community,

I found a hash for dd user and iam using h**t to try to find the password.

But it takes so long and i dont know if iam in the correct way.

Any hints and PMs are appreciated.

Thanks in advance.

Edit: I managed to found the password finally, but i rly dont know how to proceed.

ReT · March 13, 2020, 6:17pm

Hi all,

I’ve managed to get initial shell. but i cannot seem to move around. Im stuck in /usr/bin.

any help would be great!

sakas4 · March 13, 2020, 6:41pm

Type your comment> @ReT said:

Hi all,

I’ve managed to get initial shell. but i cannot seem to move around. Im stuck in /usr/bin.

any help would be great!

cd …/…/

ReT · March 13, 2020, 7:48pm

Type your comment> @sakas4 said:

Type your comment> @ReT said:

Hi all,

I’ve managed to get initial shell. but i cannot seem to move around. Im stuck in /usr/bin.

any help would be great!

cd …/…/

yep tried that…

it doesn’t change my directory. im still in /usr/bin/ . im confused

sakas4 · March 13, 2020, 7:57pm

Type your comment> @ReT said:

Type your comment> @sakas4 said:

Type your comment> @ReT said:

Hi all,

I’ve managed to get initial shell. but i cannot seem to move around. Im stuck in /usr/bin.

any help would be great!

cd …/…/

yep tried that…

it doesn’t change my directory. im still in /usr/bin/ . im confused

Did you spawn a tty shell?

ori0nx3 · March 13, 2020, 10:02pm

Type your comment> @ReT said:

Type your comment> @sakas4 said:

Type your comment> @ReT said:

Hi all,

I’ve managed to get initial shell. but i cannot seem to move around. Im stuck in /usr/bin.

any help would be great!

cd …/…/

yep tried that…

it doesn’t change my directory. im still in /usr/bin/ . im confused

If you’re running commands using a certain exploit, you don’t have a persistent shell. Look into reverse shells.

ori0nx3 · March 13, 2020, 10:18pm

Type your comment> @sakas4 said:

Edit: I managed to found the password finally, but i rly dont know how to proceed.

What kind of file did you find the hash in? What is that file used for? What locations might you be able to use those creds?

ReT · March 13, 2020, 10:45pm

thanks @sakas4 and @ori0nx3 .

muemmelmoehre · March 14, 2020, 12:19am

Just finished the box, thanks @jkr for creating it!
To me, it felt like a CTF-style box - not a bad thing, but be prepared to play around with the stuff in front of you
Shoutout to @VirtualSamurai - merci encore

Xtr0 · March 14, 2020, 12:36am

looking for a nudge on root. Found the s*****.sh file. Can see that it runs with sudo. Read the man page for j*…l but cant seem to get anything working. Visited gtfo bins as well to no avail.