[MEGATHREAD] Beta 1 - Lab 2 Feedback

Greeting to all!

We just released our second lab of the week and are very excited to share it with you all !

The new lab is a continuation of the first wifi hacking exercise. It allows you to connect to the vulnerable wireless access point and then scan the entire subnet. We managed to put a vulnerable remote application inside the network for you to scan and exploit.

And we are introducing Metasploit into our labs too!

You can use Metasploit to exploit your favourite vulnerability, rather than downloading the custom exploit. Ability to use and edit custom exploits is a highly required skill for every hacker, but for the sake of simplicity we are allowing Metasploit for exploitation and first learn the flow of the attack.

That will help you view the complete picture of the network, devices, vulnerabilities and how network security is breached. Which will give you a good head-start towards the hardening of you own network.

>> Click to login and play lab 2 <<

As a Megathread, please use it to provide your feedback based on following questions:

  1. How difficult was it for you? on a scale of 1-10.
  2. How much time it took you to solve the exercise? mind sharing a screenshot of “Verify Flag” section confirmation.
  3. Was it real-world enough? If not, please suggest.
  4. What was the best and the worst thing about the lab?

We hope you find the labs useful. Please use this thread to share your ideas about a lab you want to see at rootsh3ll Labs :slight_smile:

1 Like

Still working on this one, in the end stretch now. I fuddled through c connecting to wifi from terminal on my own, and seems like right after I figured it out, you posted the hint.

Nonetheless, I was surprised that the IP address I was assigned was a Class A network. Unless I am doing something wrong, it seems like there’s a lot of possible hosts (16 million +) to Scan to find the live one.

I did find some live hosts early in the range, but gave up the scan after about. 20 minutes, assuming that those hosts are most likely the intended, but it seems a smaller subnet would be a bit easier for an intro lesson.

I’m working on a one host now that I assume is the right one, but who knows with that many to choose from?

Trying not to giver any spoilers, but perhaps an area in the forum to discuss individual labs for those who want to?

1 Like

Hi Jason,

I do confirm that’s a miss from our end in terms of the subnet. We intended to provide a /24 range with Class A for easier access.

But, we missed the subnet part to make it clearer that the variable bit is only X in 10.0.0.X. We’ll update the access point configuration soon. Thanks for letting us know.

We suggest you to go for a /24 range for a faster list of live host.

Sure, I’m creating a category named #labs which will contain tags related to the appropriate lab. Feel free to create a post under the appropriate category .

and we are always open for PMs for private discussions. :slight_smile:

No Problem, thanks for letting me know! Yeah it seems a lot quicker now:) and it confirms my suspicion that the host I did find were all in that /24 subnet.

1 Like


I’ve created the #labs category. You can now create a new discussion post under the same with the appropriate tag (labID).

Waiting to see your lab completion verification image soon!

Thanks!. I’m working on the exploit now, if its what I think it is, I’ll definitely have some feedback for you. I’ll PM it though too avoid posting spoilers.


Got it. Great lab! Make sure you think out side the box. Just because you think somethings not right because its not provided for you, doesn’t mean you should skip basic enumeration.

Don’t want to say too much and spoil it, so DM if you get stuck!08%20PM


Amazing Jason! You are the first one to complete this box!

So, as a reward you are now eligible for a custom user title. Let me know in the PM what user_title you would like along your username apart from your current title : beta user

Another great box… Congrats again!!

  1. 3 (because of the hint)
  2. 10 min

  1. Yes, for sure we need to understand that real-world like box doesn’t contains puzzles inside an image (for instance).
    Normal users keeps their password in some file or use some password from dictionary. (The secret of our life as attackers is to use a good dictionary).
  2. best thing is to the step-by-step that we need to perform until get actually root access to the machine
    worst think: It’s hard to use this word, instead i would give a suggestion: enter as a normal user, and give a form to priv esc in order to get the root pass

So true and important. That’s the reason actually we used the common username & passwords list again’t the device ssh. We’ll be doing it more often and explicitly mention in the walkthrough to make sure the user understands the importance of dicts. you just outlined.

Actually, we intentionally dropped the exercise at the point where you crack the key and not moved ahead into the retrieve-flag-from-file part. I wanted it to be a different exercise under a more sophisticated and enterprise-like environment. Imagine WPA2-enterprise, or a WiFi captive portal in your office? with 10s of users.

The privilege escalation part was something that i skipped accidentally. Now that you mentioned it, I’d have to think about it if this can be done since we are using docker containers to simulate a user and as their nature is to use host’s kernel, I am not sure if we can perform privilege escalation by kernel exploitation. Maybe other ways are there but we’d have to explore.

I am open for suggestions on this though. Link me if you have a good source on this.

Sorry I dont recoginize this platform, it’s possible to send a DM to you?
And actually yes, docker share the same kernel problems that host does.
The same kernel exploit used on host can be used on the docker container.
I will look for some references but I have one presentation that was made in one bsides here in Brazil that was discusted post-exploit on dockers environments (types to escape from docker, actually)
I can share with you if you want
About the priv esc is ideas for the next Labs… this one is already amazing!

1 Like

Sure, I’d like to have a look. I did read docker breakout vulnerability a few weeks ago and then we updated our docker to the latest patched version. Not sure if the talk would be valid, but we might learn something from it :slight_smile:

A little idea just popped into my mind. We cannot use kernel exploitation with docker, but we CAN do services exploitation within the victim’s system.

based on your pentesting experience, what do you think about it. How frequent is app/service exploitation, or buffer overflow vulns. used to get root rather than kernel exploitation?

Next to next lab. Since both labs are quite complicated to understand in a whole. Just give us some time and we won’t let you down :slight_smile:

Forgot to mention. Since you are one of the first 2 people to complete this lab, you become eligible for a custom user_title.

You can PM me a title that you would love to have along your username. for instance, your current title says: “beta user”.

As pentester we tend to follow the low hanging fruit (most easiest way to get root)… but particularly I thing that to training we need to try other ways. Instead of just typing uname -a and go after some kernel exploit, if you set an mysql running as root (some version that allowed priv esc, obviously) or some SUID file…
GotMilk has an amazing article with mindset to Linux Priv Esc that can give you some ideas for the next ones…
Basic Linux Privilege Escalation

1 Like

That’s a good idea too. A Database connected to the corporate private network would be a good one to start with!
Thanks for the idea and link too :slight_smile:

Real world, Kernel Exploits are not a realistic attack vector unless its a last resort. Too often these crash the machine which is the last thing you want to do on a pen-test. Most of the time, the answer to privesc is found in service configuration, weak permissions, user errors. Good patching will block Kernel exploits, but users/lazy admins will always be around.

In a learning Environment, Kernel Exploits are the easy answer, they are fun to pull off, but they don’t require a lot of thinking. Priv Esc is an area many students struggle with, so the the more practice the better.

1 Like

Makes total sense to me. I think we are on a right path to create something very useful.

Q. How difficult was it for you? on a scale of 1-10.

Q. How much time it took you to solve the exercise? mind sharing a screenshot of “Verify Flag” section confirmation.
30 minutes of keyboard time.
I was trying to paste the exploitdb script and use that before I realized I could open msfconsole…

Was it real-world enough? If not, please suggest.
yes, as far as use of bad passwords :slight_smile:

Q. What was the best and the worst thing about the lab?

Good experience using multiple tools to solve a problem.
Bad: no way (that I found) to priv esc. That would be the assumption given user-level access. the “vulnerability” given in the hint is not even necessary unless going after a user account that isn’t otherwise easy to guess (like root).

1 Like