First of all, I really like that this box makes you recreate the steps from the 1st lab to gain access to the wifi network. As a lifelong (failing) guitar player, one of the most important lessons is “Repetition.” Retyping the same commands and building on it reinforces the concepts and helps cement them in your head. Too many online labs require you to learn some esoteric command and then you never see it again, meaning you easily forget how to do it. I’d love for future labs to continue in this vein.
Once I got in, I had to figure out how to connect to the wifi from the command line. Again I used the owners book to help out with this, while using google to fill in some parts that were not working. I see that a post was made right after I figured it out on how to connect, but to be honest, I’m not sure I would agree with giving the instructions, as part of the art of hacking is researching and figuring this out.
Once on the network, I see that I was given an address in a subnet with 16 million+ possible hosts. While its certainly possible in the real world to encounter this, it is unlikely. A quick DM to Hardeep confirmed that this was a mistake and that only 254 hosts should be scanned. Trust me the host you want is not #16 million
Using my favorite network scanning tool, I quickly discovered the vulnerable service and found what I thought was the appropriate MSF exploit, but found it was taking a long time to attempt the exploit. Again Hardeep was very responsive and said it should not take more then a few minutes so I knew I had fallen down a rabbit hole. I learned an important lesson here, that the lab resets after 3 hours, so nothing we are doing should take longer then that. I did my OSCP at the beginning of the year, and quickly learned about rabbit holes, so this information is helpful to ensure you don’t go to far down that way.
So now I had what I was pretty sure the right exploit, and I had a good file provided on the desktop, should be pretty easy right? WRONG. Do not assume just because you have been given the answer, it is the correct one. After trying the information supplied , I kept coming up empty. At first I though it was something wrong with the lab, but quickly realized that there was other information I should try, that any “decent” hacker should have done first. My suspicions were quickly confirmed and after that getting root was easy.
Overall a great box, very real world and OSCP like. (I HATE CTF puzzle type boxes) I think its great that you have to enumerate not only the box, but the network as well. I love things like HTB, but half the fun is finding the vulnerable machine in the first place.
Finally a review of the Company RootSh3ll. Hardeep was INCREDIBLY responsive to questions and suggestions, often replying in minutes. I realize the company is small, but after reading his book and seeing the work that was put into the site, I LOVE his passion for this project. Too often I meet people who want to make lots of money in cybersecurity because its the new buzzword, but his love for the field shines through and I am proud to be allowed to participate in a project that obviously means so much to him! Keep up the good work!