I’m stuck at the SSRF too, anyone up for a nudge?
I somehow got stuck with the RSA key. By this point I cracked the private key but for some reason my Python script that uses it to sign the JWT just doesn’t get the key and it’s getting frustrating. Anybody could help me out in private with this?
Anyone about to DM a hint for leveraging the SSRF? I have a few ideas and I believe it’s to do with p*** **a****l but unsure. Would be appreciated. Based on it being a docker, I assume we cannot call to localhost due to it being outside of the range (based on this vhost being on a docker container).
Regarding the authentication breakthrough to create webhook, is the forge of the token the right truck?
The methods for cracking tokens in the RS256 scheme are limited, and the secret cannot be identified even if various attacks are attempted.
I’ve tried everything to get auth for webhook creation, but am unable to do it. A nudge would be really helpful! Feel like I must be missing something very obvious.
I’m struggling a lot on this one this is my first hard, could anyone dm me for a small help. I did a few things but I’m not sure about what to do. Any help would be helpful 
It’s not hard, it’s undoubtedly an insane-level machine 
1 Like
Better call saul !!
1 Like
Definitely in the higher-tiers hard boxes. The foothold-to-user part drove me nuts ^^
foothold: A standard web user will not be enough, give yourself some rights. Then find the hidden web part and give yourself some more rights.
Can the machine talk to you ? Good. Now make it talk to something else. And remember that just because you have no feedback doesn’t mean it didn’t work.
Take a look at your cookie, can you read it ? Decode it ? What data does it hold ? How is it treated by the app ? Can you inject stuff in there ?
user: Take a look the internal hosts, enumerate common ports. You should quickly find yourself with the source of another part of the web service. Read it, find the vuln, exploit it, profit (granted it is easier said than done :p).
root: Standard enumeration. What can you map other than volumes ?
PS: Always happy to help if you need it 
11 Likes
This. Couldn’t said it better. So useful, so clear, yet so vague. 
GJ good summarization. Props.
And yes, foothold & user part is tremendous, long-winded, tiresome, and annoying. Root is rather seamless and easy (but maybe compared to the insane-like struggles to get there does seem like).
1 Like
foothold to user? what about reaching rce? 
So, READONLY You can't write against a read only replica. means that the box itself is broken? All of the paths I found give me same error prompting Laravel error screen. And I can’t seem to find any subdomains.
yeah, gotta restart the machine
1 Like
If someone else (or yourself) broke the box and you get this error, you can fix this error by simply issuing RECPLICAOF NO ONE if you are far enough into the box to do so. No need to wait 5mn for restart then.
did you get the user? looking for help
can someone help me get a nudge for initial foothold?
stuck on initial foothold, can someone help??
Can’t spawn instance in vip+1,2 vpn, how to fix?
I personally think this machine should be upgraded to insane. There’s something about it being in the same class as Gofer and Download that just doesn’t seem right to me.
4 Likes
I’m going crazy with this token, I’ve tried all sorts of ways to forge the token and none of them work. It always says unauthorized 