Hey all, I’m currently stuck trying to get this web shell. Not sure how to mention it without spoilers but every time I go for the shell I’m getting an invalid response. Any help would be wonderful!
foothold/user: avoid rabbit holes - multiple keys and doors to try - don’t get stressed if one doesn’t work, just move on and find the one that does then reference tip above about nested variables.
root: read/understand/exploit the script, don’t fight, arguing can lead to unintended consequences
Wow, thanks for the tips! helped me a lot 
I’ve figured out what I’m meant to do with the nested variables, but I have no idea the command to use to read a nested variable, can anyone PM me and help me out a little I feel like I’m right there.
if youre using one of those 3 vulnerabilities try a different one the obvious RCE might be a rabbit hole
Ended up getting it shortly after I posted originally but thank you! I was following the path explicitly shown by the blog that posted about the CVE but once I took a step back and tried other routes I got it pretty quickly.
Think I’m close to rooting the box but having issues with “the tool” when trying to build… Anyone else have this?
I know it’s a bit vague but 
anyone else getting “zip END header not found” when building an apk? or am i doing something wrong?.. any help would be appreciated as I’m about to throw my computer at the wall…
1 Like
i still do not understand how to do get privesc. i understand i have to exploit the ****.sh and that i have to build it but i do not know what payload, to use nor can i find one…please push me off a building
This box took a few hours. I don’t want to give anything away, but I want to help people avoid a lengthy rabbit hole.
First, I know you found that vulnerable app that supposedly has RCE through deserializing data. I tried very hard to exploit it. I simply couldn’t get it to work for some reason. However, RCE isn’t the only bug in this version of the program. You can easily grab secrets. You should know a few employees at the company and you have at least one login so you know how they assign usernames based on their real names. Make a solid guess at additional users and combine it with a secret. Lots of employees reuse passwords, so who knows!?
For rebuilding the APK, I highly recommend ignoring the APK you found earlier, and downloading a Hello World APK from Github and editing that.
There’s an issue if editing an apk that has no compileSdkVersion set, one of the checks of the script fails.
Did you find one that has it set already?
Because adding this field to the AndroidManifest.xml, makes it impossible to rebuild the apk.
finally rooted! 
If you encounter problems rebuilding apk files, you should update your apktool. I wasted a hour trying to fix it.
Sorry, I think that I crash 10.10.11.150:8000/dashboard/incidents, maybe need reset machine?
Thanks for the machine, I learned a lot.
For user, make sure to use the same request as shown in the blog, I tried creating incident report, never worked.
For root, make sure to not use apktool-dirty, install it this way instead Apktool - How to Install
Well, I got the user flag
But I don’t kinda get how to utilize that weak xml point, I create one, but it doesn’t succeed. Maybe I just don’t get how that build process works.
Please dm me with a nudge if you have one 
Rooted! Fun box! Didn’t start it until it was basically retired but able to avoid any major spoilers for the most part. Definitely a good one to try and there’s a good video walkthrough for it from IppSec on youtube now that it’s retired. He moved through it a lot quicker than I did!