I was trying this. What method did you eventually use?
It was where I spent many time then realize that you can simply try to examine the download file I mean the output, then find some juicy info that can help you to find vulnerability
If anyone needs a hint - DM me 
1 Like
You mean when the upload is rendered? Cos there’s technically no download
no i mean after without intercept the trafic the pdf itself.
you will find juicy info at the bottom of it. examine the pdf in your terminal
Then found something that you can use for some vulnerability
Rooted, this machine was actually really fun but also somewhat difficult. Learned a lot, thank you. Feel free to DM with any questions.
1 Like
oh after struggled a lot lot on master necessary tools now root it : very hapy.
Fun box .
thanks i have learnt again
Its open, destroy and burn it.
Once again the day was saved by some stranger that took their time to answer a question in a forum 11 years ago.
3 Likes
Pwned it:) if you need any hints feel free to PM me
how it can be. anyone can help?
I’m on the literal last step and cannot get the runas to allow me to enter creds. Any advise or suggestions?
Just rooted. Some hints and tips:
User/foothold: Its simpler than I thought but author did a good job in hiding the details in the spreadsheet. Look closely and you will be able to connect the dots. Once connected, look for possible vulnerabilities that can give you a shell.
Root: Looks closely on what are the network services running. Once you find it, find a way to access it and launch an exploit tool that is forbidden in OSCP to pop a shell. Lastly, don’t bother asking John for the password as he may never tell you that. Instead, find the easier and lazy route. 
Rooted! Definitely a nice challenge, root was a little tough. Take a look at @spindel reply for a good hint.
So I’ve gotten to the point where I need to use the CVE to gain a shell, I’m positive my exploit is correct but I’m not receiving any response back on my listener. Not sure where I’m going wrong. Any help would be appreciated!
same situation, i’ve tried for hours, going to be mad.
try a powershell encrypted reverse shell
should look something like powershell -e <blah_blah_blah_base64>
PM me if you need more help
that’s exactly what I did, I used a bse64 encrypted powershell reverse shell
I’m wondering if it’s an issue with running Parrot dual boot so I installed a vm on my windows machine to see if the issue persists. I have this issue often with boxes and not getting responses on my listeners.
I’m getting a 500 everytime I submit the encoded PS. Have you seen this happening ?
I don’t know what I’m missing out