Official Extension Discussion

Official discussion thread for Extension. Please do not post any spoilers or big hints.

Not often that a box leaves me stumped so early. The hostname and box name must be hints at the way forward, but I cannot think of anything to use from any of the subdomains.

any good news?

Yes James Webb telescope sent 5 images

1 Like

haha. That’s great

Not usually asking for these, but can somebody PM me a hint, I’ve been enumerating for a whole day found some interesting information and endpoints, but nothing looks exploitable.


Got user. If you cannot find anything vulnerable, then anything that is custom is where you should look. Finding a path to user requires a BUNCH of enumeration. Once you find the path, then the steps to the actual user flag is difficult, but clear.


Can you give me a sanity check on foothold? I think I’ve found something, but I can’t seem to find a way to exploit it. Drop me a DM, please. This box is a real stumper.

Hello, I think found a start point to dig on (“Ziggy” told me where to look), but I’m having no luck with the request, always get the same response saying that something is missing… Created a script to send one by one with no luck,so I tried to send in same request one plus another until a complete dictionary was sent (and still it keeps telling me that something is missing)
Is there anyone kind enough to tell me if I’m in the correct path?

Hello, you have to use Burp intruder, it’s easyer

Rooted… Finally. Hints:

User: Nothing is exploitable… Right? If nothing is vulnerable, then it must be something custom. Once you are done fuffing about, then the path should be pretty clear.
Root: Again, look for anything custom. Run your usual PrivEsc tools and make note of all information you can get out of them.

This box is very frustrating and hard. Hint on what to target with that XSS? I tried so many things

Edit: got it

I was blind yesterday.
Let’s see if I am today, too :smiley:

I am in a state that I can reach the internal network, can access to db etc… but still cannot steal the root flag… Break time.

user flag

  • enum potential paths
  • enum subdomains
  • if no paths can be found, then look at the front end, this is a SPA, right?
  • one of the routes is dumb, because it can be used as a pump
  • fuzz the key and the value to receive all the keys and values
  • important roles are not crackable, but unimportant ones can be cracked
  • you can create a snippet? why not change one? some snippets are dangerous
  • you are somebody else now
  • learn from your own mistake, read your own code, your mistake could be someone else’s trouble
  • who do you work with? want to, again, be that somebody else? trick whoever works with you, so that they learn a lesson not to trust everything on the website
  • after a lot of hair loss, you should be able to see what that someone is working on
  • get that someone else’s work and login as that person
  • switch back to your previous someone, you know the password already

root flag (in progress)

  • found some background process connecting to db
  • found a docker instance (oh no, i hate docker escapes)
  • found the project lav*****************, i remember there was something wrong with this

root flag

  • enum to find a vulnerable webapp
  • find out where this webapp runs
  • understand the vulnerability and the mechanism to trigger it
  • if there is a protection mechanism, think of a way for the protection to be self-resolved
  • there is a data storage running locally, why not change the values in it? you can both promote yourself and add new values
  • if you have gone through the above, you should have a reverse shell to another container now
  • escape the container, the steps are not difficult, but you need to understand how the container communicates with the host
  • check on hacktricks for something equivalent to linpeas, but designed for container

Excellent machine, i definitely learned a lot from it… PE to root is way easier, than the user flag in my opinion.