Playing with the token using the tool and examining it with burp. Reluctantly I read though the forum and I get the pretending/lie I have to tell the server but when I change the username field I get a dud…Am I in a rabbit hole?
Very fun machine so far, but even though I’m running a personal instance I’ve had two issues that were solved with a reset:
When I initially started the machine there were no services listening on IPv4, except for the usual OS stuff. There is a way to retrieve the IPv6 address, which did have services. I was proud to have have figured that out but after a reset there suddenly were things listening on IPv4. Still somewhat proud for finding out that workaround though.
The second time is where you’re sure you got all the information to make an educated guess for something. But… I got nothing. Until I did another reset. The machine wasn’t even running for very long so I don’t think anything expired.
So: when I doubt, reset 
Hey all, I have just finished the machine. One of my favourite machines. Many thanks to Camk and Helich0pper!
If anyone needs help, no problem, contact me
I think i’m doing things complicated (as always 
). Therefore I managed to encode token. I’m uploading RCE directly with curl on controller but I get this message.
Fatal error: Uncaught Firebase\JWT\BeforeValidException: Cannot handle token prior to 2021-06-03T20:45:46+0200
I’m sure there a simpler solution 
but have you any idea about date control in Firebase ?
EDIT : Well I know why and there is a simpler access point My token generated online was very tricky. I finally generated one with kali tool. So it appears that I need an admin PHPSession hash and the correspondent token at same time.
Now I’m trying to understand how to upload a fake zip. It seems that a real zip is needed not just the name :neutral:
EDIT2 : I just understood b*** interceptor usage to repeat http request but no way to bypass file check modifying content-type and task name. What am I doing wrong ??
EDIT3 : got user. Very interesting box. Needed to enumerate enough. Bruteforcing user password with template becomes possible. I don’t know why RCE vulnerability upload works with html. :neutral: Let’s go to root journey. See a bunch of passwords for different services.
EDIT4 : any nudge for root ? Tried Metasploit escalation, AV bypass, user and www-data enumeration, saw SMB shares but no access rights. What am I suppose to do with password field of users table, and with develop**** user ?
EDIT5 : got root. Not easy for my level, but I learned a lot. PEAS tool doesn’t work. I don’t know why. The clue is in an obsure note file of a windows app. But the journey doesn’t stops there and there is more steps. Need for ssh tunneling to use kali tools.
So i’ve pretended successfully and followed the breadcrumbs, but im stuck on the form that im pretty sure i need to use to get a shell, keeps erroring out no matter what I do when i try to use it. Did i miss something?
Type your comment> @sirtel said:
So i’ve pretended successfully and followed the breadcrumbs, but im stuck on the form that im pretty sure i need to use to get a shell, keeps erroring out no matter what I do when i try to use it. Did i miss something?
Maybe you can have something that acts as a proxy in-between…
Been doing that, Ill try more things. Cant get even my tests to go through, something about a title
Hello,
I hope I’ll find some help 
I think I enumerated well, found some secrets, J** and C***ies I can encode/decode… but when I try to take advantage of Paul permission, I get : Undefined array key “username” in the controller file… while I can run the same validation method on my machine with no problem.
I hope someone can tell me what am I missing…
Thanks!
Type your comment> @Xcalibure said:
Hello,
I hope I’ll find some help
I think I enumerated well, found some secrets, J** and C***ies I can encode/decode… but when I try to take advantage of Paul permission, I get : Undefined array key “username” in the controller file… while I can run the same validation method on my machine with no problem.
I hope someone can tell me what am I missing…Thanks!
When PHPS***** is correct you see the name of user in Portal page. Until there that cookie is incorrect. First vulnerability on app show you the encode logic to build the cookie. One random letter of the username is used in the encoding.
Rooted.
Amazing box. I think one of my favorites so far.
Type your comment> @dylvie said:
Type your comment> @Xcalibure said:
Hello,
I hope I’ll find some help
I think I enumerated well, found some secrets, J** and C***ies I can encode/decode… but when I try to take advantage of Paul permission, I get : Undefined array key “username” in the controller file… while I can run the same validation method on my machine with no problem.
I hope someone can tell me what am I missing…Thanks!
When PHPS***** is correct you see the name of user in Portal page. Until there that cookie is incorrect. First vulnerability on app show you the encode logic to build the cookie. One random letter of the username is used in the encoding.
Hello Dylvie,
thank you for your input; was trying directly from burp so didn’t have an eye on this. I believe I have spot the logic to create the cookie, token … So i’ll retry and keep you updated.
Thanks you again.
B/R
@Xcalibure said:
Type your comment> @dylvie said:Type your comment> @Xcalibure said:
Hello,
I hope I’ll find some help
I think I enumerated well, found some secrets, J** and C***ies I can encode/decode… but when I try to take advantage of Paul permission, I get : Undefined array key “username” in the controller file… while I can run the same validation method on my machine with no problem.
I hope someone can tell me what am I missing…Thanks!
When PHPS***** is correct you see the name of user in Portal page. Until there that cookie is incorrect. First vulnerability on app show you the encode logic to build the cookie. One random letter of the username is used in the encoding.
Hello Dylvie,
thank you for your input; was trying directly from burp so didn’t have an eye on this. I believe I have spot the logic to create the cookie, token … So i’ll retry and keep you updated.Thanks you again.
B/R
It’s me again.
I spent a night using burp on this and did it in 30 seconds by your indication.
Thanks a million!
Cheers!
finally rooted.
That was an OSCP 25 points like box I guess with a very interesting information gathering work.
Thank you @helich0pper
Regards!
Type your comment> @AlPasta said:
Just a tip so people don’t loose a few hours like me : when it’s time to “pretend”, during the initial foothold phase, you might have to reset the box to make it work. Someone might have done something that makes it impossible for you to pretend to be your target.
Might be a bit cryptic but I don’t want to spoil.
@AlPasta Thank you for this one!! I was going crazy over here, got everything without a single hint so far and was now beginning to think I was stuck in a rabbit hole -.-
Edit: rooted, I found this one easier and way more straightforward than some of the medium boxes tbh. I’m always happy to help, just text me 
I got the user flag. next stop root flag 
As with some others I am getting junk text at the end of the last (I hope) thing. If someone has a good hint I’d love to hear it. I’ve tried brute forcing, unpad, etc, but can’t figure it out.
Still can’t find a way to upload the fake.zip…Tried everything possible…Any hints?
Mission completed 
PM if you need a nudge.
Rooted! Nice flow to this box and it goes through several core concepts.
Type your comment> @kavigihan said:
Still can’t find a way to upload the fake.zip…Tried everything possible…Any hints?
Intercept