Traverxec

Type your comment> @Strigi said:

Hey Guys,
I need a nudge in the right direction.

I’ve used the exploit with a .py script (it seems I’m not that good with MSF, I’ll need to work on that.) .

I’ve found the hash in the location described in the conf file and got the N…e pwd.
I also know about the existence of the ~… page which block my entrance.
With effort I’m trying to find maybe folders/files underneath this folder but I feel like I’m on the wrong track.

No clue for root, but that will be for later on.

please help me!

~ p.s. I’ve read through all the 41 pages and I’m just not seeing what I think I’m supposed to see in the conf/man ~

dirbusting is a rabbit hole. Run LinuxEnum.sh and look for the tasty bits for keys

Getting initial foothold was pretty easy, getting user, slightly challenging after enumerating the OS. Root was downright silly IMO. PM me if you need a nudge.

@grumpychris said:
Type your comment> @ALK said:

For people struggling with root. remember its not always a good idea to maximize ur screen :wink:

lol, made no sense, and then it did. Thanks for the hint @ALK !

Yea, I was like WTF??? No way.

Finally rooted…

FootHold: CVE.

USER: Really important ther service Manual. I get stuck in user because I focused ressearching files and folders on the webserver… Askign and reading previous comments here tried by console…

Root: Well didn´t take too much time to find the files I needed but understanding what to do with them was more difficult… After searching in google I found the way… GTFO…

Respect Root, I would like to know how exactly works… If someone could explain PM please!

Type your comment> @ac884b said:

My feedback for Traverxec:

Root*: quick enumeration would lead you to something… if you are not familiar google it, try it locally and go back and root the box :slight_smile:

  • Make sure you do not maximize your terminal screen a lot … sometimes LESS maximizing is better :slight_smile:

PM if you are stuck

This was the best hint for me regarding root.

@th48th said:
I can’t seem to get a reverse shell.

@nyckelharpa said:
Got root. I’m a novice and this was quite difficult for me. It required some techniques that I don’t fully understand and only figured out by pure chance and the hints here.

My hints (definitely also take a look at the other hints!):

  • Foothold: Enumerate the machine. Anything more would give everything away. Don’t think too complicated :smile:
  • User: You might be able to find credentials on the box (that you need to crack first) and which might seem like you can’t use them anywhere. Don’t work on this too long. Finding the right place to use them is difficult and not necessary (but it is possible to use them!). Instead, have a look at the files of the service you exploited. Also, a hint which might seem paradoxical: Sometimes it is possible to access directories that themselves are in a directory you cannot access.
  • Root: Once you have user privileges, closely examine what is right in front of you. You might find something that contains interesting commands. Minimize the width of your terminal (hard to believe, but that’s not a joke!), execute and then GTFO (also not an insult or a joke, Google and other hints are helpful here).

PM me for advice. I’m willing to help. I just spent the better part of the day getting crazy because I couldn’t figure out what to do :neutral:


I would be very grateful if someone would be willing to explain to me WHY and HOW the technique to get root works. I don’t understand it at all. I can explain all of my steps and what worked for me and what didn’t. I’d also be interested in learning how to own root without resizing and how to defend against this resizing trick.
Thanks for everybody reaching out in advance! :blush:

the journal command (and several other executables) has a SUID permission set that allows it to be ran as root from another user. Shrinking your screen throws the command output into some type of display that you can run shell commands from. I think it is a know issue if the systems SUID commands are not set properly, you can exploit.

Type your comment> @uncuscino said:

Type your comment> @acanto95 said:

Just rooted the box.

My god, root was easy but it took me 2 days to find how.

All I can say is the resizing method is not the only one. What helped me was GTFO and less. If somebody did the resizing thing can you tell me how you did it?

Feel free to drop me any PM for hints!

wait wait wait, you know about another method instead of the resize? pm me please, I’ve done it with the resize

Following as well, had to resize but got root, quit after that but am trying to crack root and user pw just for fun.

If anyone is awake and have the energy i would love a hint for the root part… ive read the comments but i just dont get it … :confused:
Edit: Finally rooted!

Finally rooted! Feel free to PM :slight_smile:

I have absolutely no idea about that resize thing. I’m resizing my window but nothing more happens.

Edit: found it. Cause : doesn’t work on tmux. Kinda disappointed by this box.

Type your comment> @Raekh said:

I have absolutely no idea about that resize thing. I’m resizing my window but nothing more happens.

actually worked… rooted!

this box is giving me anxiety. at first it wasnt working at all with all ports filtered/blocked (even after a restart), then it started working out of the blue. then I couldn’t do anything with the foothold shell, and then I could. It’s so frustrating and I know it’s not meant to be part of the experience.
I’ve been reading the forum and other places to try to figure out what I’m doing wrong, and being massively spoiled in the process. (my own fault)

the best hint i can give for rookies (like myself) is that yes, sure, read the docs (for me one of the docs wasnt loading at all), there are some decent hints here, but where do you use these hint? I dunno, try the web, try the shell, try wherever you can. dont get distracted getting one to work because it might work another way.

followup, is there a way to get tab completion with the foothold shell? (this is more of a general question)

Type your comment> @giantruby said:

followup, is there a way to get tab completion with the foothold shell? (this is more of a general question)

Yes, python method works just fine.

I have managed to get what i believe is the correct hash and cracked it, however when attempting to ssh with the credentials its saying access denied. any ideas anyone?

It took me quite enough, but it was a fun machine

As almost everyone said before: enumeration is fundamental to understand the machine itself. Some common vulnerabilities to get the first step, then john and man are the keys (if something is not visible doesn’t means it does not exists)

For root: some really fun pe; remember that size do matter here

If you need any hint feel free to pm me

Type your comment> @ALK said:

For people struggling with root. remember its not always a good idea to maximize ur screen :wink:

That’s golden tip.

Can anybody tell me why this happens ?
When I run “/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service” this command in full screen terminal it gives me error(which is it just “cat” it and not run it in “less”)… But when I use small screen on terminal and run the exact same command it runs in “less” and I get to root. Why this weird stuff is happening ?

@ka1z3n said:

Can anybody tell me why this happens ?
When I run “/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service” this command in full screen terminal it gives me error(which is it just “cat” it and not run it in “less”)… But when I use small screen on terminal and run the exact same command it runs in “less” and I get to root. Why this weird stuff is happening ?

This is almost certainly because the file it is showing you is smaller than your screen, so it dumps its contents and exits.

Type your comment> @TazWake said:

@ka1z3n said:

Can anybody tell me why this happens ?
When I run “/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service” this command in full screen terminal it gives me error(which is it just “cat” it and not run it in “less”)… But when I use small screen on terminal and run the exact same command it runs in “less” and I get to root. Why this weird stuff is happening ?

This is almost certainly because the file it is showing you is smaller than your screen, so it dumps its contents and exits.

ohh okay understood ! Can you tell me where is that config file ? so I can read its contents !

1 Like