Rooted. The good news is privesc is less complex than getting user. Enumeration is 100% the key (and I don’t mean just looking for passwords all over the place).
Look at what the box is doing - it helps if you’ve seen it before - look for how it can be exploited. Look at what your account can do. Then, if you are a gardener, there is something which is often useful on windows boxes.
Rooted, It looks like insane box, more than hard for me.
Happy to help >>> PM for hints.
Someone can nudge me up? I got a feelin, type-of hs256, but I don’t really understand it.
@gh0stm5n said:
There is a field that is vulnerable to XSS (and yes I can get a response back to me).
Yea well I can’t!
Finally got user after many wrong turns and rabbit holes, and learning a lot. Thanks @TazWake for patiently answering all my questions.
This may be one of my favourite boxes. Great fun from foothold to root
Could use a root nudge, can’t tell if I’m stuck in a g*****l rabbit hole.
Can someone DM me with a hint on the whitelisting.
Edited: nvm
@TazWake said:
Look at what the box is doing - it helps if you’ve seen it before - look for how it can be exploited. Look at what your account can do. Then, if you are a gardener, there is something which is often useful on windows boxes.
I’m trying some fries with that but I get the usual “recv failed”, which I believe you’re mostly supposed to get if someone fixed the hole. Maybe I need a different family. Or was that an unintended way and the machine was patched?
User was insanely hard for me, probably took me more than 20 hours in total but at least I learned a gigaload for j**. Likely off-topic, but what are the chances one might come across something like this machine in an OSCP exam?
@Exci said:
I’m trying some fries with that but I get the usual “recv failed”, which I believe you’re mostly supposed to get if someone fixed the hole. Maybe I need a different family. Or was that an unintended way and the machine was patched?
I used the generic one and as far as I know it still worked as recently as last week.
solved. yes even i felt user was > root. Name of box is de synonyms to what you need to do to get shell. Need help? DM
I’m stuck at the point where I’m sending JSON to the Req**** endpoint. I think I have the right auth token but I’m getting 400 validation errors. I’m using python json.dumps to make the payload with the four keys - anyone able to give a hint?