Official Format Discussion

This machine is driving me nuts!!!

So with some help I’ve managed to get pro and get a shell as www-data…

I just can’t see how to get to the user …

is it to do with the hidden directory ?

No hidden directory. Enumerate a little bit, think about where you can find usernames and passwords.



1 Like

Finally, after a week and a half, this “script kiddie” has rooted format. It was definitely a very humble experience pwning this box. Huge shoutout to @otter for helping me understand not only the techniques but the whole concept behind getting pro and to @zemunk3y for pointing me in the right direction with the root part. And big thanks to the creator of the box. Format is awesome. Good luck everyone who is still working on it.


Was more of a brainfvck for me but I Finally pawned it. Id consider this machine hard not medium. Shout out if you need a nudge!

what should i do after finding token endpoint?
(jwt attacks dont work and token cant be used with -1 to reach DR)

Well this was a ride but I enjoyed the struggle. Foothold was crazy to me falling into many rabbit holes. After getting PRO, remember you gain write access to something.

Anybody willing to hint me with this one a bit? I’ve been working like crazy for days on this one. Got through the first steps, got an idea and found the two first vulnerabilities and got a general idea of what to do but I cannot see how to upload the webshell for the first steps of the pwn

Any help will be greatly appreciated

DId you ever get pro by chance? I’ve been struggling for hours now, i know im overlooking something obvious…

1 Like

I know exactly where the formatting bug is for root, could anyone perhaps nudge me in how to exploit it? I’m having trouble escaping the string to execute my code because of redis securing my input…

I’m stuck after getting pro user, any hints ?

Wow, the race condition is interesting, but the intended way just blew my mind! I heard about these issues before, but never saw them on practice.

Will go check all my configurations now :smiley:

From the foothold the rest is fairly straightforward.

Same here. Why are we able to do that to the redis socket?

Rooted! Man that box was tough but I def learned alot. I’m still trying to understand some concepts from the whole exploit chain, so if you have experience with redis/nginx can I ask a few questions? I’d greatly appreciate it.

Not a dumb question, don’t sweat it. Some people start to learn hacking and they turn into female praying mantis’. They eat the head of anyone who approaches them.

Same here. I’m reading through the source code to find a way in but I’m stucked.

Edit: managed to get foot in

Edit2: rooted. This box was tough because I faced many steps I’m not quite familiar. I’d rate as a hard box.

How you guys found out there is redis in place?

I got the user flag, but I did not need to get a pro account to get a reverse shell and user flag. Also without using the non intended race way. Can someone DM me how it is even possible to get a pro account without reverse shell? (Please do not spoil root yet.)

hey guys late on the box but i have managed to find a way to get PRO but trying to upload a shell or anything im lost at , if anyone can give me a nudge thanks in advance!!