Guys, for the user part:
If you don’t want to read all the stuff on the document (of the app that runs the machine) you may think about installing the app to VM to check application functionalities. It’s a good habit to research vulnerabilities.
1 Like
Quite a fun box overall, I got caught up in a few rabbit holes early one which scuppered my progress.
Once I figured it out the user part was pretty easy.
As for root, took me a bit to figure out what to exploit but once I took a deeper look it made sense.
Overall fun box!
1 Like
Hello can i dm you to be sure that i’m on the right way and not a rabbit hole ?
Thks
Yeah of course, more than happy to give a nudge.
1 Like
I have obtain the ad*** h*** and access th********* but i can’t seem to get past here with the P**
with the hints from @cyberf0x and @jordan01236 to avoid to put myself in a rabbit hole, i’ve root the machine…
Thks to you guys
4 Likes
I’m having a difficult time getting the initial user foothold. I’ve read over the instruction.pdf, looked at the SSL cert stuff, but I must be missing something. Could someone pm so I can explain my thought process and maybe get nudged in the right direction?
I am also in the same situation. Were you able to make it any further?
I have not
If i type sudo rpcclient -U support 10.10.11.14 then i am getting error “Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT”
I dont know what to do
Please help
Evil winrm keeps failing for me, can anyone help? Error: An error of type HTTPClient::ConnectTimeoutError happened, message is execution expired
Investigate the site more, maybe look closer at how you downloaded that PDF. Then you’ll wanna investigate the technology being used for how you can use your newly-found vulnerability
Rooted this one yesterday, and I was stuck on root for longer than I’d like to admit.
My tip for root is:
All flags of this box require interaction from an ‘unsuspecting target’. There’s an odd folder you’ll see, but it’s not at all obvious as to how it’s used at first. Investigate other software and see if there’s something that kinda makes sense in how you’d use that odd folder.
1 Like
So I get admin cred to authenticate in the mail system but there are no messages in the inbox. Is that normal?
Thanx
Wait a few minutes
So… I’ve been stuck for a bit. I’ve identified that the dow******p is the vector. Also that a windows box running S** is and PHP is vulnerable to bypass allow_url_include flag. Trying to run a RF*, but I just can’t get it to locate my file.
Am I in a rabbit hole?
Finally, root. But somebody can explain to me why in both cases, ntlm attack and the execution of the reverse shell I could use the same command and payload respectively, and it worked in some cases, and in others, nothing happened.
It was a fun box, I recommend to the community don’t make spoilers about credentials around there because some people just copy paste and get the flaw, let’s make this a community of outstanding white hats.
finally got it. my hint for root is that even though its an easy box you can bypass the av. there is a version of a common binary on github that does exactly that. I could never get it to work with powershell
root was fairly easy I just got lost for a few hours trying to make a halfway broken shell work
I keep hitting dead ends…
Used the LFI on the webpage to download the .ini and .sdf files. Got the administrator password, authenticated to the IMAP and it doesn’t seem to have any mails there. Tried to access the SMB with these credentials as well.
I would appreciate any help guys 
i got to the same point here