Official MagicGardens Discussion

look at smtp port ?

Does anyone have timeout when trying to load the file?

1 Like

Guys what payload for morty xss

Why doesn’t this run on root? Morty 1879 0.0 0.0 9056 4004? Sl 09:01 0:00 _ /usr/bin/geckodriver --port 55623 --websocket-port 45009 Morty 1885 7.5 7.6 2794752 306076? Sl 09:01 0:08 _ firefox-esr --marionette --headless --remote-debugging-port 45009 --remote-allow-hosts localhost -no-remote -profile /tmp/rust_mozprofilenKaTE9

Is SMTP supposed to be filtered or is there something strange with the machine/my setup? I have reset the machine, but it is still filtered:

jfsebastian@NB61:/opt/DockerRegistryGrabber$ nmap -A -Pn -p 25 -sC magicgardens.htb
Starting Nmap 7.94SVN ( ) at 2024-05-28 16:39 CEST
Nmap scan report for magicgardens.htb (
Host is up (0.094s latency).

25/tcp filtered smtp
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

TRACEROUTE (using proto 1/icmp)
1   97.10 ms
2   48.58 ms magicgardens.htb (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 4.72 seconds
jfsebastian@NB61:/opt/DockerRegistryGrabber$ ncat -v magicgardens.htb 25           
Ncat: Version 7.94SVN ( )

According to change notes these were both unintended paths

27TH MAY, 2024



Fixed Unintendeds / Rabbit Holes

Implemented measures to prevent unintended brute force and moved geckodriver to run as non-privileged user. Made exploitation of specific step more reliable.

it’s because of what you have used to scan with nmap (-A and -sC) try just -sV or -sS or just nmap -Pn .

Also after found the smtp port, search how to bruteforce users with smtp, and you will find a user then bruteforce his password …

Anyone who want to PM me about the foothold(after the machine update)? :smiley:


I am stuck with the root flag. I managed to get the user flag, and then “a” password for a certain user, but I fail to see how this is used (a rabbit hole maybe?). Originally I thought the password could be used to access the docker registry (with the 5000 port), but this user does not seem to be an authorized user there. The mail that was found seems to suggest that he could access docker configurations though, did the latest change break this?

Hello All,

Since the box was updated the port 25 is filtred, try bunch of nmap command but still filtred.
II figure it out that in the search area, i think it could be a SQLi or this is maybe a rabbit hole ?
Doing ( in the search field will return code 500. Is my first insane box so i’m not a pro on many SQL tecnics but it may help.

All enumeration trough port 25 fail for me with timeout telnet will not connect either

are you able to solve? i am stuck at same step

Hello, everyone!
Can someone give me a nudge where to look after m*y user? Can’t find a vector of lateral movement towards ax…

If anyone is stuck at a same step for long they can pm me

According to the changelog, user enum should not be possible from the start… However, it still is, via different path, so I assume this is unintended? How can I contact box owner and share enum path, so that owner can decide whether this should also be patched?

Is there someone who pwned this machine in an intended way, I know that it much more difficult, and I would like to ask a couple of questions.

Thanks in advance.

(post deleted by author)

(post deleted by author)