Type your comment> @xNaaro said:
Stuck on admin part, I think the injection comes from the params instead of the file itself, but haven’t found a language or payload which works so far. php returns no output. Any nudge would be appreciated
Sounds like you are kinda on the right track. PM me if you need a hand.
■■■■! This one makes me feel so stupid… still stuck at first step, i think i know WHAT i have to do, but i don’t know HOW exactly.
The hints in the comments, reinforce the feeling i’m in the good direction. But still hitting my head against a wall with any new thing i try.
After the inital foothold (and reading some comments) two possible ways to get admin access came out instantly. To get it, i need:
Not sure how the admin role is stored in user record (if it’s a literal, a related table, an enum, a string, etc…), so i think, the other way looks easier, at least locating the admin record in all the records should be easy as we have a way to “locate” it (a···n@b··k.htb)… but i was wrong as everything i try don’t work…
Tried forcing the user e···l when register a new user, updating user’s r··e and e···l from p······.php, i tried param pollutionn in every form, register from the hidden panel in /a···n/, try to trunk the strings with null, CRLF, etc…, tried sql (and others) injections, with identical results…
Nothing at all worked for me, now i’m stuck and my brain is blocked with this, so i can’t think clearly about it or focus in what i’m missing while i’m dealing with this frustration…
Any help that points me in the right direction or if i’m completely and desperately lost? any mistake in my thoughts?
Thanks…
Rooted!
Many, and I mean MANY thanks to @4t0ys3d for being patient and nudging me when I got lost. Learned a lot and enjoyed this box!
Interesting box, liked it
@rulzgz said:
Nothing at all worked for me, now i’m stuck and my brain is blocked with this, so i can’t think clearly about it or focus in what i’m missing while i’m dealing with this frustration…
Any help that points me in the right direction or if i’m completely and desperately lost? any mistake in my thoughts?
This is difficult without being over-spoilery.
You are in the right injection. There are other attacks than injection.
You need to create a user in a way that allows you overwrite the admins login credentials. Try doing this, find out what prevents, then try to bypass that. Dont try to imagine the attack all at once.
@rulzgz said:
Nothing at all worked for me, now i’m stuck and my brain is blocked with this, so i can’t think clearly about it or focus in what i’m missing while i’m dealing with this frustration…
I was on the same place as you, until i read your comment. Indeed, it’s difficult to talk about it without spoiling.
You do have all the things required. Update what you need then perform a different action on the other panel that you mentioned.
Also, thanks for the unintended nudge 
Rooted!, Thanks everyone i bothered specially @rawa, root was a hard, so i think it should be more than 30 points.
Guys i dont know how you managed to be logged in as who we should be . My victory lasted 3 mins then reset and overwrites all the time .
Other than that the principle of exploitation and the concept is cool .Too bad we cannot utilize it properly
Type your comment> @Watskip said:
@rulzgz said:
Nothing at all worked for me, now i’m stuck and my brain is blocked with this, so i can’t think clearly about it or focus in what i’m missing while i’m dealing with this frustration…
I was on the same place as you, until i read your comment. Indeed, it’s difficult to talk about it without spoiling.
You do have all the things required. Update what you need then perform a different action on the other panel that you mentioned.Also, thanks for the unintended nudge
Thanks for your answer, happy to hear i’ve helped in anything hehehehe even if it wasn’t my original intention
Not sure if i understand what you say… do you mean that there is some kind of race condition, where time is relevant to success?
Special thanks to @TazWake and @lucaswebb24 for nudge given.
Thank you @MrR3boot your boxes are always amazing.
Very good practices strengthened
■■■■! I got it!!!
…since i began to work in this box, but i discarded it because doesn’t worked for me…
Thanks to @Watskip @meraxes and @MariaB for your messages and time.
Remember to double (or better triple) check every payload or technique before trashing it!!
Good for you i left it . I was in vicious circle with my payloads for the initial access .It worked once then it was all the time Nope! : )
I have read the thread twice already, still no have any clue how to get the admin user for the webapp. Any nuggets would be highly appreciated.
Type your comment> @Dzsanosz said:
I have read the thread twice already, still no have any clue how to get the admin user for the webapp. Any nuggets would be highly appreciated.
I think I know what I must do, been trying for 2 days, but nothing.
Type your comment> @Dzsanosz said:
I have read the thread twice already, still no have any clue how to get the admin user for the webapp. Any nuggets would be highly appreciated.
Same here. Trying to find some php code that implements signup form or a blog post that deals with similar issues. No luck so far. I guess I need to trick the code into setting a role field to admin role during signup by leveraging the fact that the email field has a char limit, at least that’s what I extracted so far from all the nudges here.
EDIT: Got pushed into the right direction. Got it.
Oh Gosh finally got user on BOOK .Awesome foothold ,very tricky and especially with everyone overwriting one anothers .
But after that i was able to get something else .Thanks for the guys who pointed me in what attack i need to focus to achieve my goal .
Hello community,
Could you please give some hints for a little push?
I am in the admin login webpage.
Finally got user. Super hard for me. 
Rooted but grabbed only the root.txt as always a race : )
@MrR3boot .Awesome box!
Especially the initial foothold for me was smt new so i learnt smt that i can use in future .Very very cool .
And after that the next step was also cool /i admit here i got a little nudge on the type of attack i must target but the execution was mine 
/
Anyways really awesome box despite the race.