If you are using firefox, go try on chrome. It worked for me on chrome. Firefox for some reason, gave me quite a rage!!!
i need help with nonce thing, trying for few hours and each time unauthorized !!! is the machine bugged or what
EDIT: i am an idiot !
I got a question, I was able to found the c*** subdomain because of a nudge, but I wanted to know how you guys found it, Itās impossible to bruteforce it since we need to enter this domain before in the /etc/hosts file right ? so how can you enum on this ?
Thanks
Is the created account for permissions suppose to hit a denied permission page when attempting to login into the new account?
Nevermind found a different CVE that bypassed that step.
can someone help where are default creds 
Itās all about enumeration, if you canāt find something on your initial search you got to dig deeper.
yes i have too
Iām sorry i cant seem to find the right listā¦ iām using rockyou
ā¦
for what ?
I followed a related Medium article to bypass duplicati, but I still get an Unauthorized error. Iām not sure what I did wrong.
Thanks gobuster solved my problem 
I cannot find the right m***** key to log in to the machine. I grep it and I found one in pki folder, but it didnāt work. Any hint?
Anyone else think root was a bit complex or was it just me ?
1 Like
Hi, can you help me, please?
Same here. Curious to know if anyone got a shell?
Hey Everyone!
Iām at the point where I have user.txt and Iām trying to login into the Duplicati server. I am trying to change nonce sessions but itās not working and Iām unsure what to do. If anyone could give me a nudge that would be great.
Thankyou!
Lots of hints here already, but in case someone is still stuck:
Foothold: basic enumeration, look for (all) places where you can input data. When you find something you can exploit, donāt go directly for automation tools. Instead, try to figure out how to input is being handled by the server. You may be blind, but you donāt need to wait for any answers. After figuring out the vulnerability, go for the automation tool and youāll have valuable data in just a few minutes. Next, all you have to do is use the retrieved data, combine with the information gathered in the first steps, and do some research about known vulnerabilities.
User: everything you need can be found right where you will land after initial acces. Just stick to basic enumeration, and youāll get access to sensitive application data.
Root: pretty simple. Check out the services running on the machine and look for unusual data sitting on unusual directories. Some basic searching/googling will help you get access to the application. After that, donāt forget a file that you have probably seem before and that describes how the application you accessed should be deployed. This should help you find where the real data that you need to āextractā is stored.
Hope this helps!
Pls the creator of this box check the machine, the subdomain I found is not loading anymore!
The first day I ffuf for it and found it, I was able to load the c@@@@i page up. On returning to the machine to continue from where I left off 3days ago, i keep getting this message " This site canāt be reached" even with discovered thrown into my hosts file and resetting the box countless time again yesterday.
I notice I could scan or ffuf the monitorsthree.htb, but could not anymore when the subdomain is attached to it, like I did days ago and discovered 2 addittional dir with the subdomainā¦ Pls kindly look into this.
Hello everyone,
While working on this box, after gathering some usernames and passwords, I was exploiting a vulnerability in the dashboard through the use of the R** exploit. I have the right code for this particular one, but every time I try to use any manual or even automated exploitation techniques, I keep getting an error log.
Iāve been stuck on this for quite a while now and could use some guidance. If anyone has experience with this kind of exploit or can point me in the right direction, that would be great. I donāt want to give away too many spoilers, but Iām looking for a nudge or some insight into whether Iām on the right track.
Thanks in advance!