Pwned! Thanks to @ahmedmegjxdno, @7H31NTR00D3R, @thetempentest, @jecpr636, @matus.
Learned a lot of things with user. Root was tiring 
1 Like
im a little lost can someone help me understand the vulnerability. i believe it has to do with the apache version but i cant find anything on it that has a POC
It was certainly one of the hardest boxes of this year. There are not so many rabbit holes, so if you think you found something that probably is the way to go. Perhaps this is the only reason why it isnât rated as âinsaneâ since it could be a serious contender. The user rated difficulties do not lie. The user path isnât straightforward and can be gruesome needing some serious research, time, and patience. It is long and tedious. What to do for rooting is pretty clear, doesnât need that much enumeration - you can pretty much easily find out whatâs on the box. But nevertheless this does not mean you can finish it right away. No way. Think of it as a challenge disguised into a box. Yeah, so this means it surely is useful setting up a local lab environment before working live. Use the right tools to aid you in this journey.
1 Like
I donât know why people are ranking this box low.
It was actually very interesting.
Was stuck on user for a while, and I know I wouldnât root this if it wasnât for the community leaving some artifacts.
Very well made box all in all, learnt a ton from it.
Need to up my game on reversing.
Enjoyed it immensely, thank you @1354
5 Likes
Rooted!
Very challenging and interesting box for me!
A tip for user: donât forget to have some tea, which is very helpful.
If anyone is willing to help with root, It would be appreciated I know what the vulnerability is but Iâm just having trouble executing the exploit.
The box has low rating but I really like it. The thing with path with shell code and webshell beeing file and content was nice, great stuff 
Hello!!! Im a beginner to this. and Im still try this can you help me to do it. I need aguide
Rooted! Holy nuts, this was insane. The foothold and user were very interesting, I learned a new technique there. But man, the root was hard, and not in the way Iâd have hoped - more because thereâs a rabbit hole that turned out not to be the exploit vector. Big thanks to @JimShoes for the redirection!
Hints for user:
-
Not much here. If youâre not sure, just sit down for a while. Drink some tea, maybe youâll find something useful. Alternatively, look deeper into the page, itâll spill the tea real quick.
- Now you know the siteâs true form. I never recommend trying to sneak stuff past airport security, but a similar concept comes into play with the site here. (REMEMBER: HTTP uses
\r\n, not\n.) -
Ralph Merkle and Ivan DamgÄrd send their regards, and their disappointment towards whoever made the webapp in question. The origin has all the information needed to carry out this attack.
Hints for root:
-
Somethingâs off about the index. Good thing the privescable app tells a little too much about itself.
-
Bring it home and set it up exactly as seen on the target. Youâre gonna need to do some fuzzing and debugging, and trust me, you donât want to do it on the target - unless youâre okay with polluting the appâs root.
- App behaving weird when you give it too little? Ignore it. Here we like it big. (This threw me off quite a bit.)
You can PM me if you really need help, but make sure you have absolutely no clue where to go next first.
2 Likes
Glad to help!
Finally got user 