Official Forgot Discussion

I would also be interested in what technique to use here.

Anyone can send help in PM?

Finally got user flag :slight_smile:
IMHO one of the hardest medium rated boxes done so far…
Many people seem to be stuck at the same point, where we need to access the disabled page.
In my opinion the previous hints on this forum are not very helpful or even misleading.
Therefore some things to consider, (hopefully) without spoilers:

  1. Notice some strange behavior from the web server.
  2. Ensure to understand the architecture and each component of the application. (What components are used? How do they generally work?)
  3. What general vulnerabilities do certain components have? What do you need to successfully exploit it?
  4. Multiple things need to be combined now…

I have to say that after I discovered the first infiltration method, I got stuck after that.
There was an unintended way with the HTTP header. Now, the js code has been changed that checks on /escalate if the element “link” contains “http”.. The sanitazation is now server-side, I assume.

Its sending a XML PostReq, I tried to rename the parameter to kinda bypass the server-side check. This just defaces everything on the website and nothing on my end gets feedback from the server.

Seem to not find any possible redirect options on the website, will probably turn off and try to solve it in the back of my brain smh

maybe sql injection? if params doesnt get sanitized in the request, I might be able to put sql expressions in it.

Thanks. But still not clear…

Yes, obviously you need to use Link to achieve your goals, but I can’t see the response on my server.

You might be on the wrong track, if you are looking for a S**F vulnerability it is a rabbit hole. I’d recommend to start over with the steps I mentioned above.
Ensure that you understand the architecture and each component on the box. Try researching again what vulnerabilities might be possible when using such components.


I am completely stumped here and have basically been hurling everything including the kitchen sink at this lately. I assume it involves something about the cache and perhaps something that Mr. Kettle has written about nearly a year ago. Or perhaps not since I am making no progress on that front. Basically just stubbornly kicking the wall right now which is blinding me from seeing or thinking it through. I could use a tiny non-spoiler nudge but perhaps a tinsy bit clearer than has been stated already (if possible)?

It is not the vulnerability Mr. Kettle discovered in one of the technologies, its another type of vulnerability. However Mr. Kettle has also done very good research on another topic which is may involved here :slight_smile:

A tiny spoiler would be, don’t look for public CVE’s.

1 Like

When doing pentest wouldn’t spend so much time on just one, and I have wasted well over a week on it at the same exact place. I’m so frustrated. (And to make it worse I am pretty certain that the answer is probably in my notes or a screen capture staring me in the face.) :face_with_symbols_over_mouth:

1 Like

I agree. This is a good box, but it is very frustrating with the complete absence of any hints of a solution.

Anybody help with the foothold after logging in?

Tried alot of different things with cookies.

Also tried the form but i havent had any luck

Maybe it does involve some web cache poisoning after web login? Will step into some research and see if there is anything applicable to this box.

I hope this message can help and not cause more confusion.

  • Once you have successfully logged in, the vulnerability you used is no longer needed for anything else.
  • Inside the application focus on /escalate page.
  • The link field is important.
  • The web uses a technology to cache things, but what things?
  • Does it make sense to cache dynamic content?
  • Don’t expect to find a code injection vulnerability or similar.

Since I have been frustrated with the /admin_tickets access denied for quite a while as well, this is what would have helped me:

  • Is it possible to get cached results (age matters)?
  • In general, you get the cached response from the first user that visited a resource link.

you can PM me if you need more help.


I finished it yesterday, both user and system flag, you can check the machine activity to see when people got the flags after the date you mention.

Did these hints help anyone? I still can’t get to the disabled page. :face_with_raised_eyebrow:

Have you ever encountered any web content being cached? If you have found it, have you made sure that the data it returns is the same as non-cached content?

If I were a web programmer, maybe I would be interested in caching static content of the application, it does not make sense to always make the same request for a content that does not change, right?

1 Like

Yes, you’re right, thank you. I have already received several exhaustive hints, I will continue my research.

After 2 weeks of trying, I finally got user. For those struggling with user, there are 2 ways to point to the box itself (IP / Domain); one will give you an error if you use it in the link–try the other way. This took me 2 weeks to figure out. Hopefully, this is helpful and not confusing/spoiler.

I posted two weeks ago, that I could not progress further than the login. I figured a way out to access the specific path. Credentials are not working though. I tried to use the credentials for ssh, web login but I cant get it working. I dont know what I’m missing here again.

username:password is somehow not working for the specific service…
Seems like credentials were not fixed “… At The Earliest” :crazy_face:

Nevermind, the credentials are definetly working. Reminder: Some characters are capitalized. Raw Response and web UI showing the capitalized characters differently. Please watch out.