Nice box, thanks.
User: Figure out what happens when you register, read the code and then research about how exploiting it can be done. Once you’re in, look where you can inject something malicious and see if you can look at that through admin.
Root: Pretty much simple, check out what is running and read online on how to exploit it because you have everything you need ready for it.
DM me for any questions
for some absurd reason I was doing the exact same thing for the privesc and it didnt work. Did a box reset and bam, it works…User was great - a good learning experience but root was a bit eehhh…still good stuff on the box!
@TsMade said:
Can I get a nudge for user? Im stumped. I’ve created a user and noticed that there is an admin login page, but Im stuck.
try to search about sql truncate
Finally rooted a lot of learning
thank you all
if you need hints PM
I entered as admin on ip/index php but when I try to loggin as admin in ip/admin
my credentials doesn’t work
any hint please
Awesome box, and it kicked my ■■■■ for a while, but interesting vectors.
User definitely took a bit of tweaking but root was straight forward enough if you don’t overlook the obvious like i did for a while 
Good luck to others!
@evilcode said:
I entered as admin on ip/index php but when I try to loggin as admin in ip/admin
my credentials doesn’t work
any hint please
The email address matters.
finally i can root this box!
$ i just wanna say thankyou for creator
can anyone give me a hint on getting the admin page? I can create the admin@ user without the “user exists” using the trick, but still can’t log in. Even altering the sess ID.
@chicxulub said:
can anyone give me a hint on getting the admin page? I can create the admin@ user without the “user exists” using the trick, but still can’t log in. Even altering the sess ID.
If you’ve created the admin@ user and you cant log in to the admin portal with the credentials you gave the account, one of two things is likely:
- you haven’t created the user correctly.
- someone else has attacked at the same time as you and changed the credentials before you used them
You shouldn’t have to mess with session IDs, largely because until you’ve logged in to the admin portal with valid admin creds, you don’t have an admin session ID.
I think I’m doing everything right to get information to leak, but it isn’t working - even on a freshly reset box. Can anyone give me a sanity check? Thanks!
Edit: NVM, I got it!
Sanity Check Please LOL!! I have done the process too many times to count, i have a great article that speaks to the exact same of attack…dont want to spoil anything please pm me!!
UPDATE: ALL GOOD
Soooo i can get in the admin portal…but seems the password that let me in on the admin portal wont work for the regular access…is this because some changed it that fast? I am on VIP and this box is older… wouldnt think that would be the case
ok just slap me and tell me to stop being impatient got user…on to root
rooted
I’ve learnt a lot especially for the user part! I got stuck on root for a while though but rooted it anyway! Thanks @MrR3boot for the learning experience! 
i can read passwd with some injection and try **h key but it show me truncated file
how can i read all the file?im so noob on injection and web payloads
if its spoiler pls delete
Spoiler Removed
Awesome work.