Is there someone who finish this Academy. Because I need help about this?
1 Like
Is there someone who can help?
1 Like
Hi,I already found external service on target machine and found some sensitive information for this service and went to admin page. But how can I use this external service to read flag4. By file inclusion or other method? Is there anybody can give me some hints? Thanks
1 Like
You should enumerate the target with your user permission, Keep your mind, the service you’re targeting, you will find out the credential for logging the service after you have to exploit it to get the right permission and read the flag4
Ok, i’m seriously stuck on the last flag, any hints? Edit: ■■■ i’m an idiot, an unexpected user could execute privileged commands. Good course!
1 Like
Someone can help me about the last flag?
I use the t…t credential with reverse shell.
I can’t get privilege escalation.
Check what commands that user can run. 
1 Like
I check the command with sudo -l but I don’t find the solution for this.
1 Like
GG for arachn1d
Hi friends, im on user whose managed the web app, you know, i have flag 4, this user can do a command , i have used sudo trying preload, but im not allowed yo know, could yo throw me some clues? thanks
Same issue as dstnat. I have flag4. I know the command this user can do as sudo. I’ve looked up GTFOBin for this command and ran it (as well as a dozen other variations), but still am not able to get root. Any other clues would be appreciated. Yesterday I tried compiling a file to use with a with ld preloader and packed it in .war uploaded, unzipped and was not able to run either. Been stuck here for 3 days. Help!
1 Like
Stuck on this… any clue?
theres somebody could help? thanks in adavance
hi there. the user to access the tomcat manager, is it tomcat or a different user?
I am digging on log files and conf files accessible by user barry/group adm, but no luck
never mind, I’ve found it. I think I mistyped on my first attempt
Hey, I;ve just got flag5. if you got flag4, the way to flag5 is not hard, but tricky.
3 Likes
Just solved this. To anyone stuck at this place. The only hint I think I would give in public is to notice that your reverse shell isn’t fully interactive. It is possible and necessary to have a fully interactive tty shell.
4 Likes
Any hints for flag4? Pulling my hair out with it at the moment and getting nowhere 
No matter…I have it…I was focusing too much on the one thing 
1 Like
Yes, I am also stuck at flag4. I pivoted to user Barry, who is adm group member. Found nothing in the logs. To read flag4, tomcat user privileges are required. I have no idea where to go from here. Pivot to tomcat service role?
Make sure you’ve identified ALL of the vulnerable applications on the box…one of them will give you what you want…don’t just focus on the one thing 