I have m…t session on p…a (I dumped s…_i. from d. with s…i). can I have r.e or it’s mandatory to be logged as a…n?
NVM got user
Got root at last.
Foothold: basic enum, one of the first tools you usually use can help you to start just think of what you might do differently. Thanks to cre4k for the nudge.
User (very hard): exploit after exploit after exploit Google is you friend. When you find it, exploit it to recon (automated tools might help you), exploit to steal something from m * * t, step back and think again if you can do something else manually with the already known exploit to get an a * * * n (the recon data might help you here again). And when you have the a * * * n just use another bunch of exploits and you done.
Root: basic stuff, I’ve seen the way on the foothold enum stage. If something doesn’t work as you’ve expected you should try to use it in the SSH session.
Rooted the node as well, might have done it a little different (not sure).
This was my second box ever (got a sysadmin background, which helped), but this did not feel like easy. Also bunch of rabbit holes included (don’t go for the easy option, might be some dead ends in this one)!
Foothold: as mentioned before. Scan a little more than ‘the default’.
User: The backend has little to no to do with it. Find known vulnerabilities for the system and exploit them properly. I’ve exploited a couple of them, sometimes you need to do a little more than exploiting. Steal/find something, use it, and use this to your advantage in exploits. Afterwards drop your SSH key into the user, makes it easier to work natively.
Root: When looking for the foothold I’ve found the entry which stood out (it’s fairly ‘custom’), exploiting this is fairly easily done and then you have rooted the machine.
Thanks to @LightTheMad for the nudges & hints.
cool machine feel free to send in DM for hint no spoiler
Whew! this is one of the hardest “easy” box that I’ve ever done. Here’s a few tips:
Foothold: Double check your scansa
User: The hardest part of the machine. There’s a lot of useful hints in the previous replies. The initial documentation is in Google, my only tip is to read very carefully the tech report when you find it. The exploitation isn’t public yet (so no copy & paste either!), so you need to think what you want and how can you may inject it 
Root: Basic enum to find it, maybe your exploitation isn’t successful so check how can you upgrade your access!
feel free to send in DM for hint with no spoiler
I can see the API only with curl, any way to get it in my browser ? Or curl is enough ?
So I’m having a bit of help with the enumeration. I have tried gobuster in dir, vhost as well as dns and I’m not seeing any subdomains. I’m using the subdomains-top1million-110000.txt wordlist. Is there another approach which may work better for me? If someone doesn’t mind DMing me, that would be awesome!
Back to Nmap but not your normal Nmap scanning
Thanks!!! I forgot UDP scanning so that was totally my bad. Managed to get a foothold on the system, now looking to see what I can accomplish next. 
Me again, can I PM someone for a nudge in case I’ve wasted the past 7hrs or so?
Sure bro
using your browser makes it exponentially easier not just to exploit but to recon the app
on paper, curl would work but it would be like assembling a rig with a butter knife instead of a screwdriver lol it’s possible, just unnecessarily harder
I’m in system but i dont know how to escalate privileges((( i know about f*s
UPD: I done it. It was really hard, i spend for it more than 10 hours
I have used multiple tools to enumerate the udp port but can’t seem to figure out what valuable information I should get. Any tips?
Hi guys, i’m stucked, i’m logged in system but the user i taken doesn’t have permission to read user flag, i’m in the right way ?
2 Likes
How am i supposed to redirect the API site to the external IP of the machine so I can reach it with my browser ? I think i’m missing some knowledge here. I’ve tried playing with hosts file with no result.
chisel
3 Likes
i have the user and password for the api i think, but i can’t find how to get access to api haha
Got it, thanks !
Not sure if it’s an issue on my end, but i can’t get the delicious c**kie returned by my s** injection to let me past the c****le login page.
Do i have to craft the s** differently so as to ask for a specific c**kie?
Edit: I think I must be going about this all wrong, actually…
1 Like