Official Derailed Discussion

Official discussion thread for Derailed. Please do not post any spoilers or big hints.


Rooted! Don’t bother asking me for help though… I used unintended paths that will probably be patched! I will try to beat the box the intended way before giving my opinion!

any small hint about, entry point?

1 Like

I think the name is major clue. Used a simple tool that seems to confirm this (with 50% confidence) but I suck at this and could use any tip you’re willing to throw out there. All avenues attempted using the method that I think this is box is suggesting take me nowhere.

Got User the intended way. Much more involved than the cheese that will probably be patched :laughing: The box is a lot harder with that. I do really like the exploit though.

Not bad box, the initial foothold was quite challenging (at least for me :smiley: ), however i didnt like the PE part the software that was chosen is a complete trash in my opinion, very hard to find some information about it… but i guess this was the idea… anyway learned quite few things out of it…
For anyone stuck feel free to drop me a PM.

same here not getting entry point

Anyone could help me regarding the user with remote debugging?

Rooted that box! A big thanks to @evilByt3 who helped me a lot on this one.
This box was awesome, especially the user part (a big skill boost in XSS).
Any1 needing a nudge feel free to ask :slight_smile:

CAn you give me some nudge, no Idea where to start except I am able to add notes :smiley:

For entry point, it take time to first find path / find where admin may take your bait / then find which param you can control for admin. It’s take many trail… that how admin catch your bait.

For me now, i’m “stuck” in Privilege Escalation. I try many posible way. It look so close but STUCK…
I cann’t reset OMV password. I don’t want to brute force. I think I hurt target so much already.
I find the way to set config.xml which “So Close” to get root via pubkey ssh BUT cannot set sshpubkey via cli. … It’s alway said my sshpubkey.0 The value is not an array. . .
Just release my hot head…

Hey guys, I’m looking for help with Derailed’s foothold. If anyone can help I’d definitely appreciate it.

sure dm

some tips for this box?

Very fun box, I spent way more time enumerating the foothold than I should have because I was paranoid I was going to miss something. Also didn’t have the right wordlist for the job til later. Seclists has ror.txt which will get you on the right path. Biggest hint is already in discord which is xss. This box is from 2022 so look up relevant CVEs, be mindful of when in 2022 Derailed was released, and then just look at the site, find the routes and that’ll get you on your way. Think of Sandworm but consider the functions of the site features and why they would be included.

Foothold/User is the hardest part, but to get to root you’ll need to do some digging, but it’s fairly easy once you find the appropriate documentation. It’s easier to spot if you established persistence with the original account.

With that said, this box retires in a week so I’m going to be working on the writeup for my blog. Best of luck to those who try to knock this out before it gets retired.