@bithoveen said:
Some hint with getting root.txt? I’m not sure if I’m just retarded, but I can’t seem to figure out what to do. Already got user…
Same here. Going round in circles. Can someone PM me plz?
Sent both of you a PM.
anyone have any suggestions on how to do the privesc and I have the hex just dunno what to do with it?
@Sc4v3ng3r said:
anyone have any suggestions on how to do the privesc and I have the hex just dunno what to do with it?
If its the file I am thinking about, Google “magic bytes” or “magic numbers” or “file signatures”.
@TazWake said:
@Sc4v3ng3r said:
anyone have any suggestions on how to do the privesc and I have the hex just dunno what to do with it?If its the file I am thinking about, Google “magic bytes” or “magic numbers” or “file signatures”.
I managed to extract a file from the user directory wit the c** command, this was a hex file I’ve tried various was to “extract” data from it but have not had any luck with what type it is?
@Sc4v3ng3r said:
I managed to extract a file from the user directory wit the c** command, this was a hex file I’ve tried various was to “extract” data from it but have not had any luck with what type it is?
Its difficult to say much without it being a massive spoiler. First - is this working towards user.txt, or do you have that and you are trying to get root?
If it is the first, feel free to PM what you think the magic bytes/file signature is and we can discuss it in a bit more detail.
Could someone give me a hand getting root.txt? I have user and I’m fairly certain I’m on the right track, I’m just not sure how to leverage it
ok, after having root.txt for a while and struggeling with getting shell I finally got it. Thanks for this great box. It was a nice puzzle
something happened and this web page of the box doesn’t work anymore.
Only my third machine. Struggling to figure out how to get a shell via Joomla (yes I have researched the vulnerabilities for specific versions of Joomla). I assume CVE-2013-5576 doesn’t work since it’s version 3.1 and lower. Attempted the standard reverse_tcp shell php upload to the extension page, but being denied there as well. New to Joomla so a little nudge would be great.
Hey guys. I managed to get a reverse shell, but I cant find a way to escalate to f***** (i’m www-data). I already know about the file signature thing, but still couldnt unpack it. Can anyone help? This is my first machine and it’s getting very interesting.
@s1gh said:
Sent both of you a PM.
Thanks for the hint, dude. Got root flag now. I’ll go back to this to try and get a root shell some other time.
This was a fun box. Learned a lot.
@saskenuba said:
Hey guys. I managed to get a reverse shell, but I cant find a way to escalate to f***** (i’m www-data). I already now about the file signature thing, but still couldnt unpack it. Can anyone help? This is my first machine and it’s getting very interesting.
Sent you a pm
I am not far at all. A lot of users say this box is “simple”, but I have no forward progress after enumerating directories and the log-in page.
I attempted a brute force but no dice.
I manually visited all the directories gobuster enumerated.
Not seeing the low hanging fruit here.
My methodology right now is to:
Nmap > nmap -sU > gobuster > poke around > attempt default creds / bruit force > WALL…
@PHunHouse said:
I am not far at all. A lot of users say this box is “simple”, but I have no forward progress after enumerating directories and the log-in page.I attempted a brute force but no dice.
I manually visited all the directories gobuster enumerated.Not seeing the low hanging fruit here.
My methodology right now is to:
Nmap > nmap -sU > gobuster > poke around > attempt default creds / bruit force > WALL…
@PHunHouse said:
I am not far at all. A lot of users say this box is “simple”, but I have no forward progress after enumerating directories and the log-in page.I attempted a brute force but no dice.
I manually visited all the directories gobuster enumerated.Not seeing the low hanging fruit here.
My methodology right now is to:
Nmap > nmap -sU > gobuster > poke around > attempt default creds / bruit force > WALL…
have you tried checking the source page?
rooted 
, here is hint for any stucked at priv esc, read cURL documentation
have you tried checking the source page?
hey I have the p*******_b***** file and i’m having trouble getting it to unzip with b2
anybody pm me some info? i saw the magic number to know the correct file it is but apparently it’s not registering as a b2 file. kindof lost.
need a nudge to ‘learn me somethin’
@Djinn45SQL99 said:
have you tried checking the source page?
hey I have the p*******_b***** file and i’m having trouble getting it to unzip with b2
anybody pm me some info? i saw the magic number to know the correct file it is but apparently it’s not registering as a b2 file. kindof lost.
need a nudge to ‘learn me somethin’
b**** is only the beginning 
@Djinn45SQL99 said:
have you tried checking the source page?
hey I have the p*******_b***** file and i’m having trouble getting it to unzip with b2
anybody pm me some info? i saw the magic number to know the correct file it is but apparently it’s not registering as a b2 file. kindof lost.
need a nudge to ‘learn me somethin’
pm sent to you.
you da man!