I have a reverse shell inside the d***** cont*****. But I have no idea where these “creds” everyone is speaking of could be. I must need these to progress, right?
review your downloads. it is hidden.
Someone can help me to find the way for F**?
I found the hidden creds, and I found what I believe is the L**, however I’m having trouble actually exploiting it. Any help (either here or in DM) would be greatly appreciated.
People are talking about L** a lot, which to me seems a little confusing/misleading because its not like a traditional L**. But maybe that’s just me?! In fact, its a lot simpler that it first appears in some ways…
I still don’t have user, but that initial foothold was interesting! 
3 Likes
the same trick is used to get arbitary L** and final foothold, while L** is easy to observe and verify. imo that is why it is talked about a lot.
If you get stuck on hidden creds like I did, @tec has given enough of a clue but it is worth thinking about the name of the box and what that signifies - I missed the relevance of that for a while. My route involved using the P*N which was easy enough - so not sure if there was another path for the initial shell?
1 Like
I got access of c****** without the pin somehow so everything I try there is giving 404 so is it due to not entering pin?
Hint for root please?
you can use the u****ud page to upload a new v****.py but with a r*vsh*ll
just make sure you put the right f*le n*me
can’t seem to get passed L** filter, I found creds, found the c****** page, been banging my head against the L**
Update:
- I have the hidden creds
- I have both the L** and R****** S****
- I know that the a** runs on the filtered port
Otherwise, I’m stuck trying to figure out how to pivot from the c********. Any help would be appreciated.
1 Like
I am in the limited shell, I know I have to p…t through it to get to the f…ed port, but I cannot run ch…l on the limited shell, I keep getting ‘unknown “(” character’.
It seems an issue of d…r, and not on the binary, since on my kali it works both from server and client mode. Is there a specific binary for d…r or another way to p…t?
Thank you for any hints that you can give.
Gotten foothold with reverse shell, in docker container. Able to view the hidden web application. Stuck there, is it supposed to be some CVE for RCE, or something else.
Rooted a couple days ago; Not a bad box.
Foothold: look carefully at what you are given; the cr******** will help you later. How can you possibly use the file upload in conjunction with the function it runs (look carefully) from the source code to do something to the server.
User: A certain tool will help you attack the host machine; all you really need was what you found earlier. Pretty straightforward.
Root: Standard Privesc; just doing a tiny bit of research will make it jump out at you.
The credentials were in something the website gave to you; enumerate everything in it.
1 Like
The box isn’t accepting my user flag… Do i need to reset the box and exploit again?
Edit: resetting changed the flag, still says “Error! Incorrect flag.” 
Edit: Logging out then logging back in fixed it. User flag accepted 
2 Likes
Thank you! I can’t believe I missed that they were using git.
Hi, I’ve been stuck on rooting for a fair bit now, is CVE-2018-18955 on the right track or? Any help is much appreciated 
Same here. I think I have done all correctly, but I cannot use ch**** cl**** on that limited shell… Is there any trick?