maybe you can give me a hint if you get the user…
Check DMs
Instant pwned.
This was an interesting box.
A bit frustrating with initial foothold (personally needed a hint from these forums about that extra subdomain), but other than that it is pretty straight forward.
Great stuff, learnt quite a bit.
Good machine , foothold took me quite sometime , i was having internal server error but in the end I realised it was my bad haha
Hey guys,
I need some help here being a noob.
I found the first two subdomains and the Authorization token.
Apparently there is a 3rd subdomain? Where do I look for? Can’t find references inside the code.
Concerning the Authorization token, I can’t use it. I try to view logs but am getting 500 Internal Server Error.
Cheers!
For those that don’t want to use windows (like me), there is a python script online that can be used to find special information after getting the user. However it’s dependencies rely on a python virtual environment for its modules to work.
1 Like
I got them into the format that hashcat was expecting, but when it said it would take over a day to go through them I knew it wasn’t the path.
If you’re curious about the correct format, run the following command:
hashcat --example-hashes --mach | grep -i pbkdf2 | grep sha256
There are a few options to choose from, but only one of them works with hashcat (10900).
I’m making this machine right now and I think it’s really cool <3.
Happy hacking !
LaTorche.
I just finished in two/three days, alone.
For me was difficult, my first medium machine with no writeup. But the machine was very good to work.
Hi. I’m stuck at PBKDF2 dictionary attack. Tried many tools (python script, hashcat), changing the encoding from hex to base64 for hashcat, with no results.
Any hint please ? (i’m using rockyou wordlist)
Hi everyone!
I’m on the final stretch I belive and I have 2 hashes for user and admin but I have tried many ways to crack them and I belive they are the wrong attack vectors, could anyone please point me in the right direction so I can pwn this box
Thank you!
Try to find suspicious files of third-party
DONE!
User: decompile apk (jadx-gui is wonderful at this) → get token and subdomain → get user and id_rsa (swagger page makes it easy enough)
Root: found interesting .dat file, didn’t want to use windows - there is a great python script which does the same thing in linux (link was sent here few messages above). great tip to use venv for it, thanks!
I couldn’t ssh as root (or maybe pass got special chars that breaks it), so I had to ssh as regular user and su inside.
feel free to DM for a nudge!
User :grep -r instant for apk , use sw***-editor to see things more clearly.
Privesc: look for datdat find script in github to decrypt it.
Rooted! There are enough hints on the forum already but DM me if you need help