Official Doctor Discussion

didn’t know this before, thanks

Type your comment> @Spunnring said:

that’s such a clever way to hide things

It isn’t even really about hiding. In normal usage, this is how you host multiple sites within a single web server. By using the hosts header, it is easy to direct traffic at the right site.

The server assumes that people using the appropriate header are trying to access the given site. This isn’t a security feature as much as a service identifier - “I want to reach ‘website’ at ‘somedomain’” vs “I want to reach ‘thiswebsite’ at somedomain”

You would typically put these values into your public or internal DNS. Without access to that, we have to manually insert the header/use the h**** file you mentioned :smile:

this is amazing

I have been trying to find vhosts using wfuzz and vhostchecker, but no luck. All of the requests return 200, how do you guys tackle that? So far i have been filtering on line/word count. Is there a better way?

Would appreciate a nudge.

Type your comment> @tang0 said:

I have been trying to find vhosts using wfuzz and vhostchecker, but no luck. All of the requests return 200, how do you guys tackle that? So far i have been filtering on line/word count. Is there a better way?

Would appreciate a nudge.

check email

The creator of this box need a noble prize for trolling HAHA

iam stuck at login page any hints i have tried some basic s** I*******n.

Type your comment> @he110w0r1d said:

Type your comment> @tang0 said:

I have been trying to find vhosts using wfuzz and vhostchecker, but no luck. All of the requests return 200, how do you guys tackle that? So far i have been filtering on line/word count. Is there a better way?

Would appreciate a nudge.

check email

Thanks, totally missed that.

@AhadAli said:

iam stuck at login page any hints i have tried some basic s** I*******n.

It isn’t that. Its more templated.

stuck in the D***** S****** M******** using a self created user.
any nudge would be appreciated. tried s** mp for basic s** I******n too.

Type your comment> @AhadAli said:

iam stuck at login page any hints i have tried some basic s** I*******n.

S** Injection is so 2009

Type your comment> @LMAY75 said:

Spoiler Removed

■■■■ apparently my post root analysis gave away too much, I thought it was pretty vague but hey who knows.

Just want to reiterate that if anyone needs a hint they should feel free to DM me, this was more challenging than usual for an easy box.

Rooted. I agree that is not an easy one, in particular the first part.
DM me if you need a nudge.
Thanks to EgotisticalSW for this nice box.

Any hints for r00t ? I take it involves the high port and dash L ? Cant seem to get dash L to work though

Type your comment> @n3wb1en3w said:

Any hints for r00t ? I take it involves the high port and dash L ? Cant seem to get dash L to work though

DM sent

Type your comment> @wazKoo said:

Wondering how people discovered the 1st exploit S**I on that page. Since it was kinda blind not knowing how to trigger and check the result

Yeah, I agree, that was a bit obtuse. I figured it out pretty much from luck and viewing source because I found it odd that this page existed, but nothing was there. It was kind of sticking out like a sore thumb.

whoami

root

id

uid=1002() gid=1002() euid=0(root) groups=1002(*****)

No easy box at all. Foothold and user were just insane, would never have got those without helpful nudges from the good people of the forum. Root was a piece of cake though, assuming I went with the normal path.

Rooted. thanks to @ArtemisFY for helping me in sorting out where i was getting lost.
IMHO, there’s a misconception on the classification easy-medium-hard-insane which is not really related to the true “stiffness” of the box.
hints:
foothold: once you find it, be kind and leave a message asking what you want.
user 1: your favourite enum scripts will tell everything.
root: google the high one.

Edit:
wanted to add that this box taught me a lot more than many other “hard” boxes, so thanks @egotisticalSW

Thank you so much @bertalting and @Smyrie for the nudges on the initial foothold. I guess I was a little cocky because of the “easy” label of this box. Turns out, it wasn’t as hard as I was making it to be. I overlooked one small detail. The nudges helped me see what I missed.
Getting root was pretty hectic, but it all came down to google fu. It was easy enough, just a bit tedious.
All in all, this was pretty humbling for me, I came into it pretty cocky then immediately realized I am NOT Mr. Robot. But seriously, thanks @egotisticalSW for this box!

Not an easy machine for me, learned new things, sometimes boxes like this point me to great articles.