Official Mailroom Discussion

Official discussion thread for Mailroom. Please do not post any spoilers or big hints.

Is XSS the path ?

I’d lean toward yes, I’m fuzzing the parameters now to see if anything sticks out.

There is some simulation of someone’s activity by other side, so I think it might be the right way :wink:

Has anyone been able to bypass 403 on the subdomain?

could be data exfiltration through xss?!

Anyone had luck accessing subdomains?. I can see the vulns but I can’t get to them…

I guess you don’t need that access. There is other way to interact with this subdomain. One part of code interacts with our input from other subdomain, maybe it’s entrypoint.

Any hint on 2fa?

Finding one simple vuln is the key to accessing the forbidden place.

Now if only I could figure out this 2FA :thinking:

2 Likes

Bypassing 403 yes, the problem is getting past it :laughing:

4 Likes

Pwned that machine. It’s close to medium ones imo (maybe cause getting root is a pice of cake).
User: try to recover the password and the account name. the rce vulnerability is easy to find but don’t rush with it, after getting the foothold take your time to enumerate the machine and understand how everything works there.
Root: the user has the key, you just have to find a way to look at it.

6 Likes

i have tried shell through XSS but it didn’t work , ofcourse XSS is the right path the creator didn’t put it for no reason

The same here. I tried more languages, but without success. I have to try harder :slight_smile: :slight_smile:

Appreciate any help on root

Have ssh access to t*****n and rce expoited as www-data in sub-environment, but I don’t where to go form there. Nothing really stands out to me.

Anyone kind enough to give me a hint ?

Also do not hesitate to ask for hints about foothold.

Need a nudge on foothold :smiling_face_with_tear:

2 Likes

Me too. Can get request back from the host, but don’t know what do to next.

same here

I’m facing to the same issues, the problem is that we can’t see what is going on on the host machine. May be there are some CORS restrictions?

2 Likes