Sure you are 
This was a fun box, but I wouldnât call it easy, would say its a medium. There were elements that I never came across before so it was a good learning experience.
The initial part is standard web enum and exploitation. It helps to have Burp here while there is something automated script online you will be better off doing it manually with repeater.
Path to user was new for me. You need to look at conf files with your initial foothold/shell to find a subdomain. From here view the source code (upon login) to find something that ties back to what you found in your initial NMAP scan output. As @devi4nt mentioned look at Rayhanâs writeup online. From there its a waiting game until output you want is âdumpedâ.
Couple of points,
- Keep your /etc/hosts updated, if you find a new subdomain, you should be adding it there so it can resolve.
- There are some cleanup scripts running in the background so things keep getting deleted/reset at different stages. (Assuming this is being done to prevent you from interfering with other players).
Path to root was new to me, a standard Linux privesc enum tool will point you in the right direction. From there google the use of the sudo like command to exploit.
2 Likes
Hi! Iâm quite new to this stuff. I have tried a bunch of nmap scans and used dirbuster and ffuf to search for possible directories. How shall I proceed? Is there anny step Iâm missing?
Try different wordlists
1 Like
I had the same problem, different wordlist worked for me
1 Like
Rooted!! Great box, but bruh I wouldnât say this is an easy one.
1 Like
I have found the âotherâ site but am not able to proceed any further. Any hints?
Nice machine, although user might not be that easy. The cleanup policies can be a little annoying sometimes.
- Foothold: straightforward from enum
- User: Common vuln against a different endpoint
- Root: look for where you an write things and how to use it
1 Like
DM me for help, once you get a foothold its pretty fun, a new way of doing things will be adding that to my notes
1 Like
sorry for bothering but i did try different wordlists and different tools xD it just didnt work
1 Like
Ill have to come back to this one, I found the websocket, I made a script to exploit and used the sqlmap, but keep getting âconnection timed out to the target URL.â
Rooted. Thanks to all the clues from everyone here!
As @devi4nt mentioned a blog post to help with user, I came across a blog from 0x4vian that helped me understand the program to root.
1 Like
Rooted, Thanks to all the clues from this forum!!
This machine is so interesting, Recon is so important in this machine.
I spent my entire day just to realized how to do the priv esc as root, I got so many insight from @robinas and @devi4nt , their tips so helpful for me
1 Like
Really interesting machine! I never performed the specific attack which is used to get the user account before. Thanks @sau123
Does anyone else has a problem exploting the mysql injection? I used an script to use sqlmap on the websocket and it doesnât exploit any vulnerabilities
1 Like
Hey I didnt found that file but I managed to get a shell. Am I on the right track?
Edit:
I found the other site but now Iâm stuck. Can anybody help me?
Hello guys!
I have the user but still stuck with the root.
I found a CVE with our favorit enum tool, but it doesnât workâŚ
can someone give me a tips ?
Rooted! DM me on discord (n3hal#1527) if anyone needs a hint.
Finally, I got shell
New here. After enumerating for directories I found /tiny but I donât see anything when I visit that endpoint, stuck in infinite loading.