Official Usage Discussion

never mind, got it. Was looking for something a lot more complex

Iā€™ve already seen this binary but no idea how to use it to gain access as root

Spent an embarrassingly amount of time to get foothold

Foothold: test every functionality of the app, there are not a lot of them
User: again, there are not many things you can do (albeit more than the first step), but it was easy to find just by googling around with what the app gives you
Lateral Movement: standard stuff, not much to say
Root: If youā€™ve been doing boxes for a little bit of time you probably came across a technique very similar to this one, hacktricks can help you if you know what youā€™re looking for

1 Like

Thatā€™s what I have in mind, that you once you register you could maybe get some sort of credentials or cookie that you could use for the foothold in the subdomain. This is my thought or initial plan at least, I could be wrong but thatā€™s what my senses are telling me to proceed with.

Hints on getting foothold?

use this to avoid getting a 503 when using gobuster | grep -v ā€œStatus: 503ā€

1 Like

By doing this, you will donā€™t have results.
You get a 503 because you send too much request at one time

1 Like

as said in previous posts

  • foothold : try every possible form user input and you should notice something. After exploiting this further, getting a revshell will be really easy.
  • horizontal escalation : just explore the machine
  • root : try to see what happens. As said before, there is a very known privesc that is similar to this one, hacking tricks will help you

Someone know what is the vulnerability in this machine , Iā€™m stuck. :wink:

Rooted, was a fun machine and root had me stuck for a bit. Everything has already been said here so im not going to leave anymore hints. If you are stuck feel free to DM.

anyone have any additional tips for foothold? im confused about the usage of the tool.

Finally rooted. Was a lot new in the end.
Can confirmed the hints given.
Foothold:Enumerate and try everything you find.
Lateral:Just look around.
Root:Understand what everything you find does.

Finally rooted.
Foothold: Guys research is everything, look at every available functionality to get foothold.
Look at the obvious functionality on the admin panel to get the RS.
Leteral Movement: One more easiest part, gather local info and get access to another user.
PrivEsc: The easiest part of this machine, just look what your user can do with high privileges, and what access do you have on the fs.

1 Like

Looking at foothold, I think I might have found something but not sure. Would appreciate a nudge from anybody.

Just started this box and while exploring the website and trying different injection payloads on user inputs, i found that the forgot email section gives a 500 server error whenever anything with a single quote is entered ('). Is this something I should further investigate or just keep moving on?

3 Likes

you should test everything then only move to next :face_with_peeking_eye:

Tip on foothold: donā€™t be afraid of 500 errors

Iā€™ll leave this hint here for privesc, but Iā€™m not sure if itā€™s the correct way, if anyone knows if I did it wrongly, please DM me, Iā€™m really interested in the correct way
Note1: actually, you donā€™t need to gain root privileges, you just need peek at privileged files by exploiting the tool youā€™re allowed to run :slight_smile:

Not really a hint, just a clarification about note1: you can gain root privileges using the same approach, just use the files in the root home.

anyone help me for after uploading the php shell and redirection but i got file not found

Hello, am stuck at foothold. I found that reset passwod may be vulnerable because of 500 status and also it will return 302 if certain condition match, but not able to proceed further any help will be great.