Official discussion thread for MagicGardens. Please do not post any spoilers or big hints.
3 Likes
hi everyone have anyone already found an attack chain?
I found that I could send messages to different users, but I couldn’t xss, and trying to pass names on files using lfi didn’t work either
Am I on the right track or down a rabbit hole trying to
spoiler
exploit a format string vulnerability?
I’d bank that someone has
i think so, i’ve trying to exploit it that way
But what after that?
How to respond to the message sent with love?
Is there a certain avenue we need to be looking? (still on initial)
Any update ? I’m running out of ideas…
1 Like
Try to bruteforce usernames! There are differents ways to bruteforce username, one of them gave me a username. With this username then you can bruteforce the password using the API.
Oh yes I was thinking about that. Good!!
rockyou will do? how long should password bruteforcing take? had no hit in 100K entries yesterday
According to htb policy, rockyou is fine. If brute-force is intended, you will get a result within 10 minutes.
did anyone get user the intended way?
Yeah, rockyou work for me, didnt take much long. Make sure you brueforce the correct login (API).
ROOTED !!!
PM if you need help
1 Like
Which wordlist did you bruteforce usernames??
I have been using some predefined lists on kali but no success
Seclist wordlist is also good with names as choice
Hi guys, anybody need any help regarding Magicgardenes
Join our official group and ask any questions
Any help on initial access?