Finally completed the box, the initial user enum took much longer than needed by not looking the the obvious.
Getting foothold was much simpler once I realised it can be accomplished by spinning up a http.server and clicking a specific button. Payload didn’t have to be complex.
For privesc i used the python version of the r*****_**f exploit and that worked quite well.
I reached the user b*** but when uploading my .m* payload, I get an “error occurred” error and nc is not working. Can you give me a hint?
Note:It is obvious that the payload will be sent by opening l****** with the url from the export field, but the system does not accept the payload I sent.
What you need to do is to take a look at the codes you have captured thanks to the db.
hi guys I am a beginner, but I am trying my hand at capture the flag Noter machine. Unfortunately, I can’t find the vulnerability, I tried automatic tools like Nessus, Owasp etc… , the only vulnerability found is XSS reflected on the page login, but but I can’t exploit it
Can anyone give me some input, hints where to look for the vulnerability ?. Thanks
I am not sure at what stage of the box you are exactly, but I would advice you to think about how users are identified towards the server.
thank you, i have two solutions…
One solution: to identified through cookies.
Two solution: to make brute force login
are they on the right track ? 
Right Track 
with right tool you can generate a cookie for another user and acccess 
python cookie forgery
It’s been one week and i’m still stuck on passing code through the converter. Any help would be appreciated before I stop trying.
No matter what i use as the note, it does not seem to work. I’ve tried both local and remote.
I managed to get the other username by Brute Forcing and I also got the signing key for the c*****.
Trying to forge with the f*****-****** tool, no matter what I get an “Unauthorized, Please login” Error I’ve tried with both the --le**** flag and without it.
I would truly appreciate some help. 
EDIT: Be careful with the hour in your PC, The time in my VM was incorrect +2 hours, because the f**** c***** uses a time stamp all my f***** c****** where rejected for the time stamp being 2h into the future, thus incorrect. It wasn’t until I retried with a c***** I f**ged yesterday that I realiced this BS.
P.D.: A hole day wasted because of this …
I had to use flask_session_cookie_manager to reencode it.
Well after a week of trying, I’m officially giving up on this machine. Won’t even open a shell with the correct code and method for me. Even after a restart. Best of luck all, but I believe it may be broken.
can someone message me thats been through it…my user shell instantly closes. im on the page where i need to be and i know its working because it gives me a shell for like 2 seconds…anyone else run into this?
What a great box this was! 
I really enjoyed each step for this box. It was a lot of fun. Mad props @kavigihan!
PM me (or hit me up on discord InfosecGreg#1683) if you need any hints.
pwnbox?
You have any luck yet?
Finally rooted it. Just a hint for those of you who ‘cant open shared library:’
you may need to locate the plugins path and use that instead…
I wasn’t able to get a reverse shell, but I WAS able to cat. And after all the trouble this box has given me, that is good enough.
You can run root commands, ever thought about placing a file somewhere which allows you to establish a remote connection? 
Yeah I thought of that several minutes after posting lol