I am not expert but I just do not see any logic in this. Just a complex guessing game. Shrug. Pretty annoying. No offense to maker. Maybe the rest of the box is really cool and I will learn something but this part is… strange
Educated guessing is something that you’ll have to do in any pentest, especially against a target that is probably 94%-99% blackbox.
This thing is a legit beast and probably requires chaining together some obscure yet logical things that I’ve yet to get a twist on, but the overall story looks like it makes sense. It’s just a matter of making it work out. Trial and error. That’s life.
based on the endpoints hanging off of /admin, I am thinking this is either a client-side exploit or access to the admin panel is required. I could totally be wrong, but its what makes sense right now.
I might be overthinking it, but I see a pattern there. Title suggests Read and Learn, there is also header “If you have a Garden and a Library, you have everything you needed.” All provided PDFs are about flowers and one of them have “marker” words. Tried to build dictionaries out of them, but no luck.
One of them did work though, but that was a false alarm. Someone reset the box 
Found some pieces of software, one is git version, the other slighly outdated, not really sure if that would be important at this point.
Me: I sure have worked hard and would like to change careers to being a pentester some day.
Reality: Ha! F… you, buddy. Go eat paste.
I got some csrf working, but I don’t want to purchase a short domain. My ip is one digit too big 
Type your comment> @anonipossum said:
I got some csrf working, but I don’t want to purchase a short domain. My ip is one digit too big
purchasing a short domain wouldn’t help you anyways. the boxes are all sandboxed with no internet connectivity.
free domain names with .tk extention. Good for when you need to test something (Dot TK - Find a new FREE domain)
i feel like P*****J isn’t really stable. sending the same payload that did things before dosen’t do things anymore :T
EDIT:
aaaand rooted. awesome box, had a lot of fun (except for the part where i got weird behaviour because of other people and tried replicating it unsuccessfully for 3 hours :,) )
Knowing MrR3boot inspiration, we’ll need a lot of lectures to own this box… Hope i’ll read fast enough ?
got some requests back but pointless prob
Got inside privileged. Looking more to get a reverse shell…
Very educative so far
Owned user !
Next up to root
Type your comment> @bertalting said:
Owned user !
Next up to root
If you would give us any hint for user 
A little nudge on the foothold.
Sometimes, after a limit, it doesn’t matter what characters are.
XSS is never the way to go.
So, the reason I talk about my what I’ve learned in the open is because I think it’s a complete dead end and I followed it to its end, I think.
I’ve spent so many hours on xss. I’ve learned about punycode, so that’s fun.
I’ve had a lot of fun in trying to get this go through the character limit, but it didn’t work out. It does resolve to an IP though.
script src=//⑩⑩⑩⑩
I left < > out, because I don’t want to accidentally trigger anything.
Edit: seems that I already did, when I did copy/paste the tag in, lol.
The browser resolves the emoji with an algorithm called Bootstring [1].
It becomes in this case: 10101010
which resolves to its hex form: 9A 21 12
which resolves to hex in base 10 form, aka an IP: 0.154.33.18
I’ve learned that //0xffff (etc.) also resolves to an IP on FF, Chrome, IE, Edge and Safari (Safari doesn’t do Punycode though, Chrome and FF do).
I opened up Firefox its source, but I couldn’t find where this type of resolution takes place. If someone has the insight to look it up quickly, I’d appreciate it a lot! [2]
[1] https://www.ietf.org/rfc/rfc3492.txt
[2] GitHub - mozilla/gecko-dev: Read-only Git mirror of the Mercurial gecko repositories at https://hg
Rooted, great box, learned some new things that I haven’t seen before.