Got creds for a service. Don’t know where to go from there. I would gladly take a hint 
PM me!
Type your comment> @FQuen said:
Got creds for a service. Don’t know where to go from there. I would gladly take a hint
Enumerate which files you can edit 
Type your comment> @jsarmz said:
Type your comment> @Kevoenos said:
Got user but stuck on privesc. Do I have to do anything with the other vhost?
How did you get the user then?
Probably the unintended way, by bruteforcing… I’ll try it the intended way first then.
Finally Rooted 
my first machine done a few hours after release!
User was quite complicated, since my enumeration process did not pick up everything. The tool I used for the foothold did help in some way, although I ended up copying the generated payload and used it by hand at the end.
Root was fun - the initial foothold is right there, however the system does bite back so it is absolutely crucial to understand what happens on the system . I ended up taking multiple steps to get root.
Very fun machine overall (although it took me more time for user than I expected), although I am not sure if there are multiple ways to exploit it since there are some services that I did not use at all in the end.
Was able to use an OWASP top 10 vuln and found I can read various files on the server. Does not seem like I can find the ones I need to, however 
Nice box, rooted.
Privesc to root : can’t have a proper reverse shell !!
(user j*** not in group m*******)
well, rooted. Funny box
Rooted Is Nice For
User: Look To OWASP 10
Root: look in cronjonb and P****** The User k*** not in group m******* The j*** is In Group
Rooted. Priv esc was a lot easier than foothold imo, although I got trolled for a while by my shell after getting user j**n
root@writer:~# id
uid=0(root) gid=0(root) groups=0(root)
Rooted, forgot the basics.
Thank’s sharkmoos
I have to say I am a bit frustrated by this box, i have found the privs, have read the init, have found the path, i can upload images in two ways the second being the prefered but i still can manage to get a shell. Its really infuriating.
Edit: ■■■■ what a ride, finaly managed to get a shell but this mf keeps exiting (always pay attention at youre quotes!!!)
That was really hard for me. I couldn’t see a clear path at first …
@hadrian3689 made good tips!
PM me if you need a taco.
Really nice box. this box will take some time. so keep patience.
User: regular enum, regular vul (but some tricky), find what you can’t see with your naked eyes. there is another vul, because of the developer. AND GAIN the user.
Don’t fall into rabbit hole
PrivEsc to 2nd: Enum, this was a little bit odd for me. there is something on the box.
Root: Check what you are and what you are in. and try to make your payload minimalist.
Discord: luckythandel#6053
Finally rooted this thing after 3 days of exploration… it took me about 3 days to get to foothold!!! And then a few minutes to get root hehe
My suggestions below (hopefully I won’t be spoiling anything)
Foothold: this a real ride that you could encounter on “real life applications” over there… there’s a OWASP 10 really common issue once you find the “admin” page… attack it and you should be able to, through some payloads, enumerate the website code (you noticed that it’s not a common “php” static site right!!!).
Once you get the code path (how do you setup the sites “available” in apache!!!) you’ll need to understand it. I just copied it over to my host and used vim editor to look with colors (way better)… search if there’s a way to upload files in this site…
Now my suggestion is to play with it in your host… you can easily setup a testing environment (as you have the code) or just find how does the application handle incoming file uploads (if you’re good with py**** code)…
Once you do, you’ll notice a flaw (any system call could be explored right?!) and then play with the payload to be used (again, use the code in your host and play with it… set some debugs for you if needed) and you should be able to ingest a payload to call you back on reverse shell…
User escalation #1: it’s pretty easy to be honest… you’ll find some directories and file that you can write through some common enumerations… then google around how to pentest/exploit these file names (there’s a really nice page with some steps that you could even follow there… I think the creator just copied the pentesting done by this other blog and changed some names and hosts hehe)… once you exploit you’ll be another user…
Root escalation: this is the easiest part really… my suggestion is to always have pspy running when you have access to any linux server like this one… you’ll notice something running all the time… again search on google for ways to exploit/hack using this application name (there are lots of pages about it there)… pick any that you like and follow the instructions… you’ll be root in no time…
Thanks a lot for the creator of the host… this was really interesting…
Ping me if you need any nudges
1 Like
Type your comment> @JulianoPL said:
Once you do, you’ll notice a flaw (any system call could be explored right?!) and then play with the payload to be used (again, use the code in your host and play with it… set some debugs for you if needed) and you should be able to ingest a payload to call you back on reverse shell…
Thanks a lot for the creator of the host… this was really interesting…
Ping me if you need any nudges
I dont think you got foothold the intended way
I’m able to read files, and there is one in a certain language that I think will help me create a foothold. I have the file name, but the file itself is taking ages to download even without the usual tool. Is this the right way?
Type your comment> @camk said:
I’m able to read files, and there is one in a certain language that I think will help me create a foothold. I have the file name, but the file itself is taking ages to download even without the usual tool. Is this the right way?
I had the same issue with automated tools, but it was instantaneous doing it manually
Can anyone send me a pointer on how to handle pulling the file manually? s****p is taking quite a long time and not sure if it will even produce when done.
EDIT: Sometimes when you’re looking for a needle in a haystack it’s okay to burn the haystack down looking for the needle.
[! Removed Spoilers ]