maybe you can give me a hint if you get the user…
Check DMs
Instant pwned.
This was an interesting box.
A bit frustrating with initial foothold (personally needed a hint from these forums about that extra subdomain), but other than that it is pretty straight forward.
Great stuff, learnt quite a bit.
Good machine , foothold took me quite sometime , i was having internal server error but in the end I realised it was my bad haha
Hey guys,
I need some help here being a noob.
I found the first two subdomains and the Authorization token.
Apparently there is a 3rd subdomain? Where do I look for? Can’t find references inside the code.
Concerning the Authorization token, I can’t use it. I try to view logs but am getting 500 Internal Server Error.
Cheers!
For those that don’t want to use windows (like me), there is a python script online that can be used to find special information after getting the user. However it’s dependencies rely on a python virtual environment for its modules to work.
1 Like
I got them into the format that hashcat was expecting, but when it said it would take over a day to go through them I knew it wasn’t the path.
If you’re curious about the correct format, run the following command:
hashcat --example-hashes --mach | grep -i pbkdf2 | grep sha256
There are a few options to choose from, but only one of them works with hashcat (10900).
I’m making this machine right now and I think it’s really cool <3.
Happy hacking !
LaTorche.
I just finished in two/three days, alone.
For me was difficult, my first medium machine with no writeup. But the machine was very good to work.
Hi. I’m stuck at PBKDF2 dictionary attack. Tried many tools (python script, hashcat), changing the encoding from hex to base64 for hashcat, with no results.
Any hint please ? (i’m using rockyou wordlist)
Hi everyone!
I’m on the final stretch I belive and I have 2 hashes for user and admin but I have tried many ways to crack them and I belive they are the wrong attack vectors, could anyone please point me in the right direction so I can pwn this box
Thank you!
Try to find suspicious files of third-party
DONE!
User: decompile apk (jadx-gui is wonderful at this) → get token and subdomain → get user and id_rsa (swagger page makes it easy enough)
Root: found interesting .dat file, didn’t want to use windows - there is a great python script which does the same thing in linux (link was sent here few messages above). great tip to use venv for it, thanks!
I couldn’t ssh as root (or maybe pass got special chars that breaks it), so I had to ssh as regular user and su inside.
feel free to DM for a nudge!
User :grep -r instant for apk , use sw***-editor to see things more clearly.
Privesc: look for datdat find script in github to decrypt it.
Rooted! There are enough hints on the forum already but DM me if you need help
Spoilered for courtesy of the other players working on this box (and also so I don’t get banned in case this is too specific a hint): That Authorization token is meant to be used with a specific interface on the box hosted on one of the subdomains
If you need to, you can tell me over DMs what subdomains you found, and I can share some of my notes.
While I’m here, here’s where I am:
Foothold/User: I have a bunch of usernames but no passwords to go with them, and a service that can do some messing around in, all thanks to the enumeration of the apk.
Where I am stuck at is those passwords, I feel as if I’m missing something, since I haven’t been able to finesse that service into leaking anything further in the confidential information area. I have the other subdomains too, but cURL-ing them tells me one isn’t going to be helpful, and the other I haven’t been able to get anything other than status codes of the 400s variety.
Feel free to DM me about this (or you can reply to this too, anything is welcome in my suggestion box), I check the corresponding threads and my DMs a LOT when I work on active machines.
Read APK. You are in a good path. Continue. Don’t stop believe in your self. You can do it!
Cheers
bro im so stumped right now. i got the user flag, found the sqlite db (and extracted the hashes) and found the encrypted session-backup… im assuming the admin pw hash (once cracked) will unlock the session-backup file… but i can not figure out how to crack this kind of hash… i read online that its a werkzeug hash (which makes sense as that was enumerated earlier) but I cant get the hashcat -m mode correct… also tried a tool from github called “werkzeughashcracker” but I suppose im not entering the hash correctly?? the hashes all begin with “pbkdfs:sha256:600000$xxxxxxxxxxxx$…” HELP!