Official MagicGardens Discussion

Official discussion thread for MagicGardens. Please do not post any spoilers or big hints.


hi everyone have anyone already found an attack chain?

I found that I could send messages to different users, but I couldn’t xss, and trying to pass names on files using lfi didn’t work either

Am I on the right track or down a rabbit hole trying to


exploit a format string vulnerability?

I’d bank that someone has

i think so, i’ve trying to exploit it that way

But what after that?
How to respond to the message sent with love?

Is there a certain avenue we need to be looking? (still on initial)

Any update ? I’m running out of ideas…

Try to bruteforce usernames! There are differents ways to bruteforce username, one of them gave me a username. With this username then you can bruteforce the password using the API.

Oh yes I was thinking about that. Good!!

rockyou will do? how long should password bruteforcing take? had no hit in 100K entries yesterday

According to htb policy, rockyou is fine. If brute-force is intended, you will get a result within 10 minutes.

did anyone get user the intended way?

Yeah, rockyou work for me, didnt take much long. Make sure you brueforce the correct login (API).

PM if you need help

Which wordlist did you bruteforce usernames??
I have been using some predefined lists on kali but no success

Seclist wordlist is also good with names as choice

Hi guys, anybody need any help regarding Magicgardenes
Join our official group and ask any questions

Any help on initial access?