any hint for the first auth?
I have tried for foothold. I have used FFUF and found a Desert plant. I have used Doras favourite tool and found ***_user but not getting any hashes or creds to use. can I get a hint please?
I have used ffuf and found all the .php files. Can someone give me a hint on where to go next? Thank you.
You can DM me for some nudges if you wish. I think there is some decent hints in the thread already to get you where you need to be and what needs to be done already for foothold, but i can be more direct if you wish.
@badre619
@lordsoahc
@rdy2hunt
hey @Ashishgupta, even I got the root easily with user level access but still I tried to escalate my privileges, I was able to pivot and gain access to the internal server but after that I am stuck, if you know anything please help
So you have access to web panel of duplicati? Can you login to it? It is a backup software which is running as root. You can simply do a backup of /root for root flag or run a script using it.
1 Like
Rooted :)
Is there any way to get a shell as root? I couldn’t crack the shadow file.
I think that I found the c**.*** you are mentioning but not sure how to abuse it. Tried to blindly inject c** on this very page using common params and various verbs but I don’t seem to get anything from the machine (did not go far on escaping and enumeration though). Is this the way or am I charging windmills?
You need to find another page that you can perform SQ******ction on to dump some creds so you can login to that subdomain.
1 Like
Hello, does anyone have a little hint for the root part? 
Lost a lot of time trying to generate a pair of keys while the approach was way more straight forward. I forgot obvious way to expose local resources. Not sure how NLTE got the user in 12 minutes (is there a way for the user different than the one for root?) Thanks for your help, @ FroggieDrinks
SUPER SLOW
Do it manually
well, i guess i buy some food while sqlmap is running
Root was so simple actually, but i was overthinking for 2 days
Tip for Root Privesc because I was a silly goober and wasted 20 minutes:
If you decide to use online encoding, they may auto-delimit Hexadecimal with spaces.
Don’t. :,)
Hello,
To get user, I need to find the private ssh key (I think) , can someone help. Current I am stuck for a very long time after I got the shell.
Thanks, and greetzz!
Wow, I wish I could spin up a 2nd system to go after while I’m waiting for my scans/enumeration on this one to finish! 
hey can someone help me with the user flag?
Still having difficulties identifying how to successfully map the form in the subdomain I found. Scans take a long time and I’m not sure if I’m using the wrong options or not for the scanner tool. I’ve been told there’s other ways to do it, and I tried some manual injections but none of them worked. Other than finding the “plant” subdomain and login form I’ve got nothing.
If someone has time to provide a nudge or something, I’d appreciate it. I’ve been scanning and trying manual things for close to 6 hours now and I just feel like I’m wasting time and not learning anything.