Official discussion thread for Photobomb. Please do not post any spoilers or big hints.
I found the endpoint with the login for a printer, but there doesn’t seem to be credentials online for that specific printer. Am I missing something?
probably using sinatra webframework
Look closer at the home page, try viewing some things.
I’ve tried with steganography in all photos but I dind’t find anything. I realised that sinatra webframework is used but i cannot look how can I exploit it. And I tried Directory T******** but nothing. Anyone with more info? Thanks
In the first part we have some in information in .js file
heh fun times
I’ve got the authorization but I don’t know what to do now?
Anyone can hint me something?.
Auth and some verbose error messages
Maybe a username
!! ROOTED !!
Nice machine, simple and entertaining.
Send me DM if you need help
First time pwning a release arena machine! User flag wasn’t very hard… but I don’t know much about Privilege Escalation, so it took me some time to root.
nice machine with basic foothold. Root wasnt difficult since something seemed irregular to me but definitely had me add something to my notes.
as always DM if you are stuck
Look closely to the parameters
Which parameters are talking about exactly ? I found also some stuff about sin***** but for now I’m not able to gather something interesting, except the port on the loopback address, but i think it cannot be exploited
Need hint. please dm me. I’m able to view protected content.
any recommended payload for LFI? or should I check manually?
can you help me please on getting a foothold, i havent got a clue how to get the printer creds, ive also seen a page with something about sinatra on is that any use?
thanks in advance
Well, on my side I tried to put something in the field for file**pe on post rq, to perform a L*I, but nothing works for now. I’m pretty sure it’s something here, but nothing seems to work for now.
Some hints for the machine
- Use the web inspector, search into the links.
- There is nothing local to read
- A parameter will be your blind ally.
For root: The environment and cleaning is in your hands.