I’m new to these and would like if I could get a nudge from someone? I have enumerated as far as I know I think. Any nudge would help. Thanks
@ali15 Try nmap you will find some ports to explore and may be sub-domains
@soBr0kEn said:
I’m new to these and would like if I could get a nudge from someone? I have enumerated as far as I know I think. Any nudge would help. Thanks
nmap will give you the way … PM me if you need more help
Fun box 
The enumeration part was interesting, not sure if I did it the intended way, I ended up using a rather ugly method but at the end of the day, I got what I needed !
The root part got me confused. Everything was very slow and the box behaved strangely, but I don’t know if it came from the network or not. I used the famous tool because none of what I tried manually worked, if anyone managed to get it working without any external tools, I’d like to hear about it !
Thank you @pwnmeow
Hi could somebody give me a nudge, I found the path, I tried several things, but I could not figure out the exploit.
I managed to get user flag through some fairly bootleg webshell, and have some amount of RCE as user. I can’t for the life of me establish a stable shell as user to work with to even start on root. I’ve tried so many options with common tools and ‘non-tools’, based on what I know is on the box, from elsewhere online and nothing’s been stable at all so far. If someone can poke me with a hint as to which/what worked for them it would be much appreciated. banging my head against such a silly obstacle
Guys i figured out finally ;),
Spoiler Removed
i need tips/help to get root…asap
DM…me
Rooted! thx to some tips in this forum
Spoiler Removed
Could someone DM me this a tip for the foothold ? I found the ‘beta’ page I can interact with, but I struggle to find a valid file to throw there… Much appreciated !
Type your comment> @anir08 said:
Rooted.
For anyone looking at the forums searching for hints, I’m gonna be blunt and say this: You know what you know and you don’t know what you don’t know! Stop with that TryHard thing!
My hints:FootHold/User
Let your nmap be aggressive and read the output very carefully! Half of the steps to Foothold lies there! Got it? Nice!
Make the necessary changes. Cool!
Now head over to the “secret” area which was not available before and manually enumerate it very carefully! Like use your EYES instead of firing off gobuster and wfuzz.
Then read about this:
What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy
Read it? Now you know what to do!Take a step back and let the snake take the auto-pilot from there!!
Escalation/System
I’d be real honest here…if you don’t have a solid windows priv-esc methodology, you won’t be able to do this. Its more like a hit-error-success thingy. Without giving away much, enumerate registry keys and look for software policies…google a lot and you’ll end up on a famous blog website which explains exactly what it is. From there its 2 minutes to systemI fell into the Rabbit Hole concerning the ***i and lost 2 hours until looked at it again from the top side. Sometimes you need to take a breather!
Good Luck!
El-Psy-Kongroo!(Also why the ■■■■ can’t I submit the flags ■■■■)
Edit: Flag submitted- had to revert it two times (sorry if I caused disturbances to others in that time)
Thanks! I was trying all the right things… but the link helped me with the right format
Type your comment> @Ob1lan said:
Could someone DM me this a tip for the foothold ? I found the ‘beta’ page I can interact with, but I struggle to find a valid file to throw there… Much appreciated !
Same here, I would really appreciate some help…
On the beta, I can read files and believe me, I tried hundreds, I did not find anything interesting. Could somebody tell me if this is the right way to go - look at the content of files? I went down the SSRF road as well, but no success.
I gladly went down every rabbit hole there was, even tried cracking hashes I found for two hours ^^
EDIT: Thanks @NoMad for the reinsurance that simple SSRF is the way to go! Root part took like 5 minutes, luckily its one of the first things I check manually. 
I found Vote Admin Creds… but I’m not able to login with them??
Type your comment> @quantumtheory said:
I found Vote Admin Creds… but I’m not able to login with them??
Make sure you copy/paste correctly… Some pesky characters can follow sometimes
Type your comment> @Ob1lan said:
Type your comment> @quantumtheory said:
I found Vote Admin Creds… but I’m not able to login with them??
Make sure you copy/paste correctly… Some pesky characters can follow sometimes
I get the same error whether I try pasting, typing manually, with/without the extra spaces, etc… Not sure how else to go about it really. Was thinking I just had the wrong creds, but I’ve seen elsewhere that the creds I found are indeed the correct ones. I duno
Fun box!
Could someone DM with assistance. I need to understand what I am missing. I have the workings of the foothold, just unsure what exactly I should be targeting. Thank you in advance.
Edit: I played around a little more and got my start.
Edit Edit: Rooted. Priv Escalation is Easy Peasy.
Got user, enjoyed that, however struggling on PrivEsc.
Shell doesnt seem to be stable whatsoever. My mr shell doest even spawn, even with encoding, and the only successful shell has been a standard non-mr, but even that dies after a few minutes… any nudges? Dont need much, just a stable platform to start PrivEsc from.