Official Agile Discussion

need hints for root

machine silently patched without changelog?
a secret changed to unknown urandom(32).

1 Like

I have a similar issue where I don’t know where to start. I’m trying to get directories / pages and subdomains but no luck so far. Can you give me a hint?

Do you get the correct domain? noting the redirection.

1 Like

What do you mean by redirection/correct domain?
I’m only getting agile.htb as nginx default page and didn’t find any other directories/subpages when using a medium dirbuster wordlist.

try with ip, or some arbitrary subdomain.
you would encounter 301 when fuzzing vhost/subdomain.

Can Anyone help me with the foothold?

Can you help me here? I found the LFI but I don’t know what to do besides looking into /etc/passwd to find potential usernames.

Help with werkzeug console pin exploit , please DM

Try to look into the source code, its path is visible in the error logs :heart:

@tec already posted up in the comments, but the foothold might have changed (silently, apparently). I’m talking some info you might find yourself trying to extract from a specific file.

UPDATE: Apparently it has been added yesterday.


Hey guys, this was a tough one for me. At last, rooted!
DM me if you need help / hints


I’m stuck at first user. I tried a lot of things, but I’m not sure how to proceed. Any hint/help would be great. I’ve been at it for a week :confused:

Maybe not anymore after the latest patch.

1 Like

Hi there! Can anyone PM me and guide me a bit withing this box? I’ve already checked all the paths I’ve found and got stuck… I have lfi, have app’s source code ect. But I see that the app is probably patched and the cookie+idor path can’t be used anymore. I also tried to reverse Pin but with no luck. Have a feeling I’m missing something obvious…


I’m in the exact same place as @mar11. Can someone give me a nudge on that?


I’m trying to see the source code of the application but I can’t get the path of the application

Can someone tell me if reversing the *** for the c***** is the right track as I don’t think IDOR or cookie mods are possible since patch.

check errors

llevo ya casi una hora e probado todas las rutas que salen en los errores y nada