well, It worked for me.

Current Version: 3.8.22
Last DB Update: 2022-12-20

Try to add this at the beginning of your release_arena.opvn file.

tls-cipher “DEFAULT:@SECLEVEL=0”

It worked for me (two times already).

I found the hashes but i did not figure out how to manually enumerate the columns of the tables. The server is giving me a 502 error. If someone can tell me his methodology.

I have reached the wordpress manager page.
But I can’t upload php or xml files. In what way should I attack further?

just use that what type you can upload.

I was able to crack the key password to see the login credentials, but when I try the one for root@ssh it does not work?

edit: it was not for via ssh , rather internally assume user

Very fun box! Everything was relatively straightforward except for the first CVE for me. Passwords and hashes flying around everywhere.

Hi, Someone who has exploited it manually, can help me or give clues?

Did someone manage to do the sql injection to extract info manually ( i can use the crafted one from the vuln but no matter what I try afterwards it’s not working) the sql i works with sql map but the payloads are way too obscure , I am preparing for OSCP and not allowed to use sqlmap spent 2 days, but no luck :(.

You will save some time and headache if you check the sourcecode with Burpsuite instead

Look around in Google, there may be a C** that can help you with that…

Not manually. I use POC. But I guess if you use an sniffer mybe you can get what is actually sent to the server and you can get the sql injection.

do you talk about user?

I already managed to get what I wanted manually, thanks

Manually looks like the same as via a POC. I you don’t understand the script you can check what is sent to the server via sniffer or proxy. In there you can pay attention to the sql injection or whatever the script does.

Rooted. Nice box. User was an interesting exercise, had some initial trouble with getting the initial foothold, but from there it was a pretty straight-forward path. Root was incredibly easy.

Foothold: Enumerate to find what’s vulnerable, and bust out google-fu to figure out where to go from there.
User: Think about the overall picture and where that picture might hold secrets.
Root: Don’t wander, see what you can and google-fu.

I have got the login page and I am not understanding further what to do. Any hints please?

Just got root. Fun box!

Foothold: The site runs wordpress. See if there’s a special tool for enumerating this. Enumerate for vulns. This might take awhile. Run a big scan and go make some coffee. Running smaller scale scans got me nothing. There’s a simple vuln for this.

User: Google Fu time! Don’t waste your time spinning your wheels on something that isn’t working. I tried modifying everything in a thousand different ways. Once I dove into google I found a much simpler way. The answer was music to my ears. Then think of where you may find info about the website.

Root: Back to basics! Check hacktricks.

The machine itself is a little difficult, the first part, since finding the root is super easy, the beginning, on the contrary, is complicated… but in general, a lot of knowledge is not required to solve it… Highly recommended if you have any doubts can you ask me

(╯‵□′)╯︵ ┴─┴

Man! I was having trouble with SQLmap adding the port number to the Host header in the requests so it never found it. The SQLi isn’t found when adding port 80 to the Host header.

This issue stemmed from saving the Burpsuite request instead of writing out the SQLmap command, so much for saving a little time. I know I could have done it manually with the POC, but it bothered me that SQLmap couldn’t find it.