This was actually a fun box. Initial foothold was not trivial to execute in my opinion. Root was a breeze. 
DM me if you require assistance. I want to also help others like @Paradise_R does !
5 Likes
Just rooted this box. This was an easy box alright, but finding the right way to get foothold took quite a bit time for me. Root was a piece of cake though (mainly because Iāve found all the interesting things on the machine during the foothold/user step).
Still it was very nice machine and made me think about skills I need to work on.
1 Like
give me a hint , how to foothold in this machine
1 Like
I was able to read the associated code snippet regarding the u***** function but Iām not sure if Iām headed in the right direction.
EDIT: Enumeration is key, I found the goods shortly after looking through a particular file again. Now to figure out root!
EDIT #2: Rooted! root was a breeze compared to the foothold. User was kind of a let down but with proper enumeration, it makes sense why it was so easy.
Answering frequently asked questions for this one 
- If you think you are in a rabbit hole, yes, upload vulnerabilities is a rabbit hole, instead open your burp repeater and make the basic procedure you would for a parameter that fetches files
- You can read any document, but which are important? It is hard to say, but it runs a framework, does it have known vulnerabilities? Check pom.xml to find it out
- You canāt find anything in your home directory with ls? Use ls -a to see hidden directories and files, and verify every of them that can be vulnerable
- Shell is an easy thing, just identify the automated processes and find a way to exploit them
- When a virus enters a cell, it modifies its genetic code to make the cell work for the virus, you need to do the same thing here, just get the actual file and create a malicious modified copy to make it escalate your privileges, and make sure to get a reverse shell and not suid, because it could spoil the game for other players
I hope it answers most questions, if anyone still needs help, just send me a message, as always R is always going to be here
18 Likes
:') Internal Server Error 500
Everytime i upload a file for some reason also when i spawned this box the IP it gave me doesnāt respond to anythingā¦
Major hints for each flag:
User: donāt spend too much time on the upload part, instead focus on the result path of the upload. Once you find the vulnerable part of the link, spend time prodding around and looking for versions and all the standard enumeration stuff.
Root: If you did a lot of enum with the user stage, youāll likely have already found the technique. Otherwise, use the inclusion from the user stage to check each of the root folders, and play around.
2 Likes
Rooted! Google is your friend with this one.
Anyone stuck, feel free to send me a PM
Fun box! Good stuff.
User: Use @Paradise_Rās hints, theyāre very good. The website only really has 1 function, look into all aspects of it, not just the obvious one. The name of the box might throw you off on this one. From here enumerate all the things running the site. Check for exploits for each of them. Youāll know when you find it, itās very juicy.
User 2: Easy cred leak, ls -la and cat will find it
Root: Google is your friend here. Also try running Pspy and see what it finds. This is what did it for me. From here use Google or ChatGPT to figure out a payload.
Feel free to PM for help
1 Like
Fun box, except me getting stuck for 3 hours with what Iām guessing was a network issue on my end (a reboot fixed it). Thanks @Paradise_R for letting me know I was on the right track.
Just to echo some stuff above - the website only has one function of note, play around with it w/ a proxy and work out what the tech stack is; user is a bit of an annoying one, just look around; for root, check the userās id output and then see what on the fs theyāve got permissions for.
PMās open if anyone has any specific questions.
1 Like
Iāve been trying to load the file but I havenāt been successful. I donāt know what else to try
DM me and we can go over what youāve tried so far.
But basically, itās less about the file you upload and more about what you can do AFTER an image file is loaded successfully.
1 Like
Fun boxā¦ eventuallyā¦ but thereās a lot to absorb.
There are some useful hints in this thread for User, but it took me ages to craft a working payload for root. The āgtfoā way didnāt work for me, but some persistent googling led me to victory.
User:
Fun boxā¦ itās relatively straight forward but the key is enumeration. Really dig whatās going on there and what techniques are used. If you know what technique is used you can search for some config files that give you further infos about used version.
That reveals a vulnerability with RCE that can be used.
root:
pretty easy, just look around in the usual folders. You will soon find some information in both user directories and in some main folder. From there itās straightforward.
Finally rooted. Thanks to @Paradise_R for hints 
I donāt think I would classify this as an easy machineā¦ medium was the right rank in my opinion.
2 Likes
Iām stuck with root
2 Likes
estoy ttrabado con el payload para vulneral ansible
Can anyone please dm me 
, I am really stuck, and canāt find a way to exploit any vulnerability nor find any information. I just need a hint to get me going.
1 Like
My shell wont load after trying to su and entering a password, it just freezes, should I reset the machine?
try to do the stty shell
1 Like