Hi, I have tried to get the initial foothold using VHostScan but with no result. Is this a rabbithole - I mean trying to use wordlist to get a valid subdomain. What is a better approach? thx
I am trying to find the inital foodhold I already tried to dirsearch, dirbuster ect. but do not find anything. Can someone point to a useful tool 
Could someone give me a little hint with the GET request to get a valid token? PM
rooted. The root part is crazy
can someone help me with root. analyzing d—g file with ghidra found function p------_d—
what to do next. new to binary exploitation
I now have USER. big thanks to @justAhmed and @luca76.
Working towards root now
rooted. This was very fun, educational and challenging box. Big thanks to @justAhmed and @jkana101 for helping me along the way.
Spoiler Removed
I had to stay awake for a long time but I finally won. Much analysis was required to reproduce the reverse step by step. Amazing. Thank you for this opportunity.
does this machine have something to do with f** if so please help me out. Thank you!!
I can see why this is an insane machine.
I was stumped on root here 
. EDITED TO ADD: Rooted now but that was hard.
I think I know what I need to do but I cant get it to work. It doesnt help that I cant seem to get it to give me any troubleshooting data. So there could be a lot wrong with what I am trying but I cant work out what 
It doesn’t help that the entry I am relying on seems to get wiped every few minutes!
i got root. its really hard box. if you need help you can DM. gl hf @tazwake thanks for i***c user priv. <3
Hi, need some help with something at the first to get the user, can someone pm me ?.
Hi people. Someone could give me a hint to get the user flag, I find myself stalling
@Carlos96 said:
Hi people. Someone could give me a hint to get the user flag, I find myself stalling
FInd a hash, crack the hash, use the creds.
I’m pretty sure the path to privesc to user i____c is broken. I’m using m____l and the vulnerability in the se^^_u^d^t^s to execute commands but nothing works. Can anyone else confirm this?
@shadowbunny said:
I’m pretty sure the path to privesc to user i____c is broken. I’m using m____l and the vulnerability in the se^^_u^d^t^s to execute commands but nothing works. Can anyone else confirm this?
I dont think that is how I moved from h___ to i____c, at least I dont recognise the obfuscation.
If you have a shell as h____, enumeration shows something which you can read and runs at regular intervals. You can use this to trigger code to your advantage.
Type your comment> @luca76 said:
Could someone give me a little hint with the GET request to get a valid token? PM
I’m looking for the same help. I receive the GET request but nothing is in it. I have tried various payloads and listeners. Please DM me.
Spoiler Removed
Type your comment> @t1b0 said:
I am able to get tokens and POST to create new FTP users without getting “Page Expired”, but I don’t think it creates the users, because the FTP client keeps saying “530 Login incorrect”. I’ve been stuck for 3 days. I feel like there’s a timing brainfuck. Any hints?
I was missing an XHR attribute. It works now.