Official Mentor Discussion

as33r · January 27, 2023, 2:19pm

i’ve reset the box, but still no hidden site, or I am missing something obvious?

octopus175 · January 27, 2023, 8:54pm

are you fuzzing the vhost correctly?

mark0smith · January 28, 2023, 6:38am

one lesson that I learn from this machine is when you fuff vhosts, you should add -mc all flag in case the vhost homepage status code is 404.

as33r · January 29, 2023, 2:01pm

Hey, Thanks for hint, got the sub.

princofwales · January 30, 2023, 5:14pm

Having trouble with the privilege escalation. Any hint would be appreciated. I’ve done my usual enumeration and found some interesting stuff just not enough to privesc.

Paradise_R · February 7, 2023, 1:59pm

One more machine completely solvable without burpsuite
This one can be really confusing in most parts, and I spent straight nearly 12 hours on it, some of the vulnerabilities are well hidden

For those using gobuster to find the subdomain, I solved the issue appending -r as parameter, this may help future people coming for the machine

But aside from that, if anyone need any help, just send me a message, R is always here

shoebill · February 11, 2023, 8:54am

enumeration is important to privesc to second user
at last part, a machine creator must have been tired

paddanada · February 19, 2023, 11:26am

Can anyone help with the foothold on this box?

I’ve found an interesting vhost, and the docs endpoint. I’ve used the api to create a user but when I send a request to another endpoint, I get a field missing error even though I’ve pasted The Thing into (what i think) is the correct place.

What’s really throwing me is when i check the headers of the request itself, that field isn’t even being sent… I’m obviously doing something wrong, but can’t figure out what it is…

Paradise_R · February 19, 2023, 6:21pm

In this one you are going to need to keep watch on hundreds of logs

I sent you a message regarding the machine, it is not hard at all

paddanada · February 22, 2023, 12:46pm

Finally rooted… the recon/enumeration phase kicked my ■■■■ - learned some interesting new tools & techniques along the way, though!

Thanks to @Paradise_R for the gentle, spolier-free nudge to help me get my toe in the door.

Privesc to root was pretty uncomplicated but man, after foothold → user, I feel like I need a lie down now.

schoobydrew · February 24, 2023, 2:45pm

headers are important… try common api conventions once you are authorized

hrevans · February 28, 2023, 4:02pm

I have admin access to the API but I don’t know where to go from here. I’ve tried all the injections that I can think of but none of them have done anything interesting. Any tips?

Cerberus · March 2, 2023, 7:06pm

Hello,

I need some help please.

Do we have to “play” with the registration of a new user ?

paddanada · March 3, 2023, 11:42am

Not exactly… you’ll need something else before the door is open to you.

PM with me with where you’ve got to, and I’ll try to help.

tec · March 7, 2023, 5:46pm

finally rooted.

keep this in mind for all related efforts!
some tools / tool versions cannot work due to this. (i’ve wasted too much time here)

Samplada · March 9, 2023, 8:13pm

Hi i’m currently doing this machine.

I’m having trouble to do request to the api. I was about to attempt to bypass the login but i’m not able do to request to the machine.

Do you have the same problem ?

PS : nevermind just changed vpn it’s back again

JK1706 · March 10, 2023, 4:35am

Range environment is out of the question? Why I take James users to create still shows “Only admin users can access this resource”,Is there a brother can tell me,please PM me

Samplada · March 10, 2023, 9:04pm

Can’t do any request and can’t reset