Json

I’m trying to get user.
I have found a** / a****** and a** / t**** is there any other endpoint or I have to work with the other 2? Or has nothing to do with that?
Found too the creds but seems worthless

no idea whats going on haha

Nice work @Cyb3rb0b. Straightforward and Pretty stable box. That obfuscation was kinda uh but overall it was good.

Hints for foothold: e-mail field is really confusing, dont trust it.

Thanks a lot @Cyb3rb0b for such a nice box.
Got root using both lazy (Thanks @TsukiCTF for mentioning his repo. It actually took more than 5 minutes, but who counts :)) and the slow (intended? way)
Loved the slow way much better as it requires you to actually do something :slight_smile:
Had fun
PM/DM for hints (although everything was already told here)

Pretty sure I know what needs to be done in terms of giving it that special kind of t***n, but I can’t find any creds to discover what that thing should look like before I make some special modifications…

Can I please get help for the json part?

Type your comment> @mech said:

Pretty sure I know what needs to be done in terms of giving it that special kind of t***n, but I can’t find any creds to discover what that thing should look like before I make some special modifications…

Nevermind… T.T don’t neglect the basics…

Can someone confirm the initial part is related to d****n ?
I read some realy interesting things on /a
/A
but cant exploit it.

Edit : I confirm, check if your command works (even if you have errors)

keep going on and inspect every http request after login

So far, I’ve spent more time setting up a Windows VM just to DO THIS BOX than I have actually working on the box itself. Not sure if this is intended or not, but I spent the last 8 hours trying to figure out how to do it in Linux and it doesn’t work.

If anyone has any hints for bypassing this, PLEASE feel free to reach out. I’m on the verge of insanity and really not enjoying myself, lol.

Edit: I figured out how to do it on Linux. But Jesus Christ, that was not a fun ride. Moving forward with this knowledge now though.

What a learning experience that was.

found the two endpoints as others have mentioned been messing around with ys****al, couldn’t get it to generate on kali so used my windows box really not sure if this is the right way to go.

Do i mix cereal with biscuits or keep stringing along :confused:

i think this is “one” way…i tooked it too. wine/cross compiling was a bit too time consumption for me

Rooted. Mixed feelings, didn’t enjoy it much. Learned something new though. Thanks to the creator!

My two cents:

User: Read the source, find A******, play with B*****. Spawn a free Windows VM, you’ll need it!
Root: Vegetable (easy). Didn’t explore another path.

Got the token, tried to modify it to trigger SSTI because one of the parameters reflected on the webpage in a funny manner, got nothing out of it. People mentioning ys******* and I don’t understand how do you get to that point, what’s the link between this machine and ys*******? I see no evidence whatsoever to even think about using ys*******.

So yeah, I’m lost :stuck_out_tongue:

Spoiler Removed

I tried different payloads and none of them gets to code execution, is this the right way?

Awesome box! I’m potato on windows so this box definitely taught me a lot.

Nice box, forced me to learn thing or two about Windows privesc. I got user fast (after I realized that there MUST be space after -n in MS ping…) and then I spent much more time on figuring out how to cook vegetable.

The non-vegetable way to root feels easier to me, more straight forward.