Official Extension Discussion

system · July 16, 2022, 3:00pm

Official discussion thread for Extension. Please do not post any spoilers or big hints.

JacobE · July 16, 2022, 8:48pm

Not often that a box leaves me stumped so early. The hostname and box name must be hints at the way forward, but I cannot think of anything to use from any of the subdomains.

nhocit · July 17, 2022, 9:56am

any good news?

hacker1111 · July 17, 2022, 1:34pm

Yes James Webb telescope sent 5 images

nhocit · July 17, 2022, 3:07pm

haha. That’s great

mach1ne · July 17, 2022, 11:17pm

Not usually asking for these, but can somebody PM me a hint, I’ve been enumerating for a whole day found some interesting information and endpoints, but nothing looks exploitable.

Thanks.

JacobE · July 18, 2022, 12:58am

Got user. If you cannot find anything vulnerable, then anything that is custom is where you should look. Finding a path to user requires a BUNCH of enumeration. Once you find the path, then the steps to the actual user flag is difficult, but clear.

TheHatedOne · July 18, 2022, 4:40am

Can you give me a sanity check on foothold? I think I’ve found something, but I can’t seem to find a way to exploit it. Drop me a DM, please. This box is a real stumper.

Ic32K · July 19, 2022, 8:12am

Hello, I think found a start point to dig on (“Ziggy” told me where to look), but I’m having no luck with the request, always get the same response saying that something is missing… Created a script to send one by one with no luck,so I tried to send in same request one plus another until a complete dictionary was sent (and still it keeps telling me that something is missing)
Is there anyone kind enough to tell me if I’m in the correct path?
Thanks

mhendel · July 19, 2022, 4:33pm

Hello, you have to use Burp intruder, it’s easyer

JacobE · July 19, 2022, 10:42pm

Rooted… Finally. Hints:

User: Nothing is exploitable… Right? If nothing is vulnerable, then it must be something custom. Once you are done fuffing about, then the path should be pretty clear.
Root: Again, look for anything custom. Run your usual PrivEsc tools and make note of all information you can get out of them.

mach1ne · July 20, 2022, 11:50am

~~This box is very frustrating and hard. Hint on what to target with that XSS? I tried so many things~~

Edit: got it

hexedbyte · July 22, 2022, 9:50pm

I was blind yesterday.
Let’s see if I am today, too

hexedbyte · July 23, 2022, 2:36am

I am in a state that I can reach the internal network, can access to db etc… but still cannot steal the root flag… Break time.

meowmeowattack · July 27, 2022, 9:36am

user flag

enum potential paths
enum subdomains
if no paths can be found, then look at the front end, this is a SPA, right?
one of the routes is dumb, because it can be used as a pump
fuzz the key and the value to receive all the keys and values
important roles are not crackable, but unimportant ones can be cracked
you can create a snippet? why not change one? some snippets are dangerous
you are somebody else now
learn from your own mistake, read your own code, your mistake could be someone else’s trouble
who do you work with? want to, again, be that somebody else? trick whoever works with you, so that they learn a lesson not to trust everything on the website
after a lot of hair loss, you should be able to see what that someone is working on
get that someone else’s work and login as that person
switch back to your previous someone, you know the password already

root flag (in progress)

found some background process connecting to db
found a docker instance (oh no, i hate docker escapes)
found the project lav*****************, i remember there was something wrong with this

meowmeowattack · July 29, 2022, 4:52am

root flag

enum to find a vulnerable webapp
find out where this webapp runs
understand the vulnerability and the mechanism to trigger it
if there is a protection mechanism, think of a way for the protection to be self-resolved
there is a data storage running locally, why not change the values in it? you can both promote yourself and add new values
if you have gone through the above, you should have a reverse shell to another container now
escape the container, the steps are not difficult, but you need to understand how the container communicates with the host
check on hacktricks for something equivalent to linpeas, but designed for container

nullb1te · October 2, 2022, 6:39pm

Excellent machine, i definitely learned a lot from it… PE to root is way easier, than the user flag in my opinion.

lim8en1 · February 3, 2023, 3:39pm

Just rooted this box and it was super fun. Learned some nice techniques in both user&root parts.
If anyone needs a hint feel free to ask!

Topic		Replies	Views
Official Moderators Discussion Machines	12	2470	October 17, 2022
Official Meta Discussion Machines	90	7034	June 9, 2022
Official Backdoor Discussion Machines	93	11062	May 30, 2022
Official Trick Discussion Machines	346	19832	December 23, 2022
Official Undetected Discussion Machines	62	5606	June 27, 2022

Official Extension Discussion

Related topics