I desperately need a nudge on foothold. I’m utterly stuck
2 Likes
Awesome box, don’t understand the rating people are giving it 
For anyone stuck, here is a few hints.
On user, understand what the first vulnerability you are exploiting does. Is it a pure inclusion, read or write+ read ?
The app temporarily gives you/itself permission to do what you need. You’ve got to run for it and be quick.
On root, as said above, remember the box name. There are a few ways to exploit a f***** s*****.
Feel free to hit me up if you need help 
10 Likes
You took the unintended path
1 Like
I’ve rooted the machine but for user I’ve used the unintended path, so now im looking how to solve it the right way xD.
Hints for root: check what you control and where it goes. As stated above machines name is the biggest hint 
Any hint for the foothold? I’m able to download the files but can’t get the race to work
Spent all day trying to understand how to get the Pro account. Any hint?
I’m going to second what leigh said. If you find yourself in a race, I’m almost certain that is an unintended solution to the problem.
Interesting, thanks
I’m gonna try to find the intended way and update my hints then
Finally got the intended way to work Very interesting box, even if I lost a lot of nerves, haha.
3 Likes
Hi all, as mentioned by a few people, the race method is unintended, try and become pro, it won’t waste your time 
6 Likes
Been wasting whole day on it, got no clue xD
am i supposed to be able to use the session cookie and login as c*****r? doesn’t seem to work for me.
edite: nvm, need to use the right get mode for r***s
i’m stuck at the same place:(
Interesting thing is that race condition is pretty reliable (it takes from a few seconds to few minutes to trigger, with each successful attempt it takes more time to trigger it again).
Actually there is another race condition in that code that is even easier to trigger but I have not found a way to turn it into something useful (it makes microblog directory writable).
The intended way is pretty nice btw, I had to research quite a bit to understand whats happening inside.
Thanks for the box!
5 Likes
several things that may get people stuck
- if the site allows you to provision a blog at a subdomain, it means there must be some dynamic reverse proxying happening
- from the source, r***s runs using a different get/set mode than the conventional mode
- general python sandbox escape techniques can be applied here
3 Likes
Stuck to get pro can someone help me . DM are welcome PLEASE
I’m currently still working on the foothold, I found a disclosure vuln. The source code indicates that there is a certain feature that is currently locked but I couldn’t figure out how to enable it. Any hint on how I should proceed?
TO THE STAFF
I had some problem to visit and edit the builded blog, may you check please?
Did you add it to your hosts files ?