Finally completed the box, the initial user enum took much longer than needed by not looking the the obvious.
Getting foothold was much simpler once I realised it can be accomplished by spinning up a http.server and clicking a specific button. Payload didn’t have to be complex.
For privesc i used the python version of the r*****_**f exploit and that worked quite well.
I reached the user b*** but when uploading my .m* payload, I get an “error occurred” error and nc is not working. Can you give me a hint?
Note:It is obvious that the payload will be sent by opening l****** with the url from the export field, but the system does not accept the payload I sent.
hi guys I am a beginner, but I am trying my hand at capture the flag Noter machine. Unfortunately, I can’t find the vulnerability, I tried automatic tools like Nessus, Owasp etc… , the only vulnerability found is XSS reflected on the page login, but but I can’t exploit it
Can anyone give me some input, hints where to look for the vulnerability ?. Thanks
I managed to get the other username by Brute Forcing and I also got the signing key for the c*****.
Trying to forge with the f*****-****** tool, no matter what I get an “Unauthorized, Please login” Error I’ve tried with both the --le**** flag and without it.
I would truly appreciate some help.
EDIT: Be careful with the hour in your PC, The time in my VM was incorrect +2 hours, because the f**** c***** uses a time stamp all my f***** c****** where rejected for the time stamp being 2h into the future, thus incorrect. It wasn’t until I retried with a c***** I f**ged yesterday that I realiced this BS.
Well after a week of trying, I’m officially giving up on this machine. Won’t even open a shell with the correct code and method for me. Even after a restart. Best of luck all, but I believe it may be broken.
can someone message me thats been through it…my user shell instantly closes. im on the page where i need to be and i know its working because it gives me a shell for like 2 seconds…anyone else run into this?
Since you can register your own user, the next step is to figure out how to access the web app as a different user. Finding that username is pretty simple, just pay attention to error messages.
User
There are hints on the box to get you on the right path. The actual exploit is a known CVE that impacts a script that processes some data that you can control. Read the code and follow the input path.
Root
Another known attack to get root. Check what’s running on the box and under which user it’s running, a classic mistake. There’s even a handy exploit that does all the heavy lifting for you.
I really enjoyed each step for this box. It was a lot of fun. Mad props @kavigihan!
PM me (or hit me up on discord InfosecGreg#1683) if you need any hints.