First off, thank you admins for fixing this box. I didn’t put this question in the other discussion because of it’s label ‘almost unusable’. I wanted to differentiate between “the box is not working”, and “I need a nudge”.
Okay, I give, I’m gonna ask the question. I’ve been working on this box since it came out, and getting the first shell was pretty straight forward. But I really haven’t made much progress since then. I’ve managed to migrate up to a stable x64 shell (I was having issues with that earlier), and I’ve been searching the box from head to toe. I’ve got about 10 hashes sitting here. I know some of the passwords but not any that seem to be helpful [I’m trying to be vague about where I got them]. I’ve checked the versions of software, etc… but I’ve been dead in my tracks since about 2 hours after starting the box last Saturday. Would anyone care to give a nudge or a resource that might help me find the next step?
Alright, I’ll bite. Pretty sure I overshot the initial vuln, unless it requires a hefty amount of fairly “advanced” brute forcing. On the plus side, I’ve learned a ton about dodging login protections… Am I going down a rabbit hole?
Yeah, I completely overlooked something, which is why I was stuck. I thought that I had already checked the avenue that I missed.
I wouldn’t spend much time bruteforcing. Enumerating will get you where you need to go for the most part. The first few steps are really straight forward for this box, so it’s hard to really give a push without revealing too much about the box.
Enumerate more. Try using an interception proxy like Burp or OWASP Zap to get a better look at what is going on. I can only conjecture why you are getting 500 errors.
@RPSUK said:
im finding no foothold on this, gobusted, burpd and wpscanned … found nothing i can use./
although gobuster is probably not the best tool for the job, take a good look at the options of gobuster and see if you get any ideas. That is the best hint I can come up with without spoiling, and probably borderline as is.
I don’t know if it is intentional or a problem, but this box is soooo slow. I haven’t found anything useful, tried dirbuster but it’s extremely slow, 10 req/sec
I’m a bit stuck on Bart as well. I have gotten an initial webshell on the box, and can run commands. But it seems that to get the user flag i have to get shell as another user, as I don’t have access to the Folder under C:\Users where i think the user flag is located. Any tips?
Need some help on Bart. Did gobuster but i get response 200 on every single thing. Any hint ? The website keep shows me a image with otters “We are looking for your page…”
they could help me, I’m stuck … I’m in the [dev] chat but I do not know what I should do, I could not access it and I have verified the application code in github and it does not find anything relevant …
I have a full shell as a low-priv usr. I have enumerated many things including creds that work for another service. but this has all turned up nothing. I’m trying to not give too much away, but certain expected avenues to elevate are specifically broken so it is apparent that the creator is driving for a single path to escalation…but I’m damned if I can find it. Just a little point in the right path would be great…thx
anyone who can suggest the right wordlist to enumerate Bart? Found a couple of subdirectory paths for a certain internal domain, but all dead ends apparently
@moj0 said:
I would appreciate a PM nudge on this one.
I have a full shell as a low-priv usr. I have enumerated many things including creds that work for another service. but this has all turned up nothing. I’m trying to not give too much away, but certain expected avenues to elevate are specifically broken so it is apparent that the creator is driving for a single path to escalation…but I’m damned if I can find it. Just a little point in the right path would be great…thx
