Rooted. That was intense. The foothold was a killer. user2->user3 was annoying, as I had the correct files right in front of me, but missed it for a couple of days due to not using the right commands to view them. That was a ‘duh’ moment when I finally figured it out.
Thank you @MinatoTW and @egre55 for an amazing machine. This one felt very “realistic” in terms of the steps it took to get to root. All along the way I never felt like “oh, this is just contrived for the challenge”.
Edit: I forgot to add, thanks to @MariaB for the link on bypassing the WAF. Much appreciated, it was exactly what I needed.
i’ve attempted to progress on that box twice, and twice i am blocked with the same madness around the identifies stuff… it is all inconsistent. One function gives me and id, then in the other direction the other function returns nothing for that id. The domain ID are different and inconsistent, depending on how i retrieve them. When i convert them myself, bit by bit, the length is inconsistent.
Oh, and for users, the domain id is also a new different one… nothing makes sense with all of that.
EDIT: sort of got it… i don’t know why but by randomly trying alternative functions i finally have something consistent.
Finally rooted that beast… I’ll be very curious to see @VbScrub write-up on this one as on two areas i’m not very clear with what i saw, first, the *ids, which came in all sort of length, sometimes not consistent with one another, as i said in my previous post, then I’m surprised that the hound gave me different results depending on the ingestor used, and both actually missed the vulnerability in my case although i understand from the hints that they do find it for many people.
Hey. Im struggling with WAF bypass. Could someone send me a link about bypassing WAF?
If you google what you are trying to do there are some very good articles on this. Start with TrustFoundry but there are other good articles. It is a very common bypass technique, it just needs some tweaks to work.
If you google what you are trying to do there are some very good articles on this. Start with TrustFoundry but there are other good articles. It is a very common bypass technique, it just needs some tweaks to work.
I just got one step forward. Thank you both @TazWake and @MariaB
Since I have lots of time waiting for loot to drip character by character I might as well ask here - is it even useful to enum database? It’s probably 10th hour or so and I am at 9/17. Will I get 18 this way or is it waste of time?
So i finally did it.
This is indeed a huge behemoth of learning experience.
Again, thanks to @TazWake for nudges and sanity checks.
I have nothing to add to the hints already given here, so i will not deep dive into every single step.
The only suggestion i can give is: take your time, don’t forget to consider every single detail while enumerating the machine but be careful because there’s the risk of fallint into a huge rabbithole…
Hi,anyone can give some hint how to go ahead about this lab…
Scarching heads…
This is definitely an insane machine. Pretty much every step of the way is challenging and requires some element of manual exploitation.
The best I can suggest is have a look to find something which allows you to post data. Play with that a bit until you understand the response. Then with a lot of trial and error you might find a way to inject requests which get a response you want.
Pretty sad to see this box is going to retire this weekend. It was so hard.
Totally agree with you, too sad. it was a great box !
I though they will at least release an Insane Windows box to replace it but no, instead *nix
Too much *nix machines, not enough windows machines.
