Rooted, really good machine the priv esc taught me a lot.
■■■!! I want to kill myself. All this time z****r password was in front of me and I never tried to use it because I was convinced it was only used in that script. Im such an idiot.
Now going for root.
Edit: got root. 
I’m just too stupid.
I have access to the A**** Panel and also have created an S*****. I’ve tried everything on Tri***** and Ite**. But I don’t get it executed.
Please PM so that I can make the first step towards user
Can i get help related to priv. esc.? My scripts doesn’t give me any clue.
Got root before I got user using -* Anyone that did it the other way around that want to PM me how they got user and then root?
Nice box!!! I ended up stuck down the rabbit hole for a bit, eventually got out and then the box just hung every minute! So frustrating 
Revisited today and all was good again. I guess the hanging was because of all of the Hydra brute forcing (HINT: As many have said… It’s not needed! Just take a look around and guess!)
I went straight to root and then grabbed both flags. Then worked out afterwards how to move to user when typing up my notes. Getting user was def harder than getting root.
Would be interested to know more about the js** A** part of the website. Feel like I could have got more out of that, but didn’t have much success.
Got root first because forgot that backup may contain juicy info.
It was fun to get root first, but the right way to follow methodology steps, of course))
Rooted
Really an interesting box.
If anybody need hint ping me personally.
cool machine! very entertainig, i enjoyed so much!
Good box.
cant find valid creds… can anybody help me?
From an account you may already be able to get in with, you may be able to to find a username/name from what’s available and guess a password, need to look around and remember people are lazy with passwords.
@Bear said:
From an account you may already be able to get in with, you may be able to to find a username/name from what’s available and guess a password, need to look around and remember people are lazy with passwords.
I tried to guess the password for users in the system with rockyou, but I could not pick it up. Especially since on the first pages of this topic, they wrote that brute force is not mandatory.
Thanks for the answer, I will continue
edit: FMB, got it
Rooted this fun box
I’m interested in how you guys get A**** pwd for gui, seems I went thru another way. :lol:
Would like to learn from you, pls DM me.
Got to say, I’m kicking myself in the ■■■ about how simple this box was in retrospective, but I had a few hiccups along the way.
For the initial foothold I was using dirb, and learned two things, most important that dirb is single-thread so I’m using gobuster now, and second and more relevant to this machine, the default wordlist used by dirb does NOT contain the name you’re looking for, try with a larger wordlist.
After you’ve found the web interface see what you can gather out of it, neither the user nor the password are in rockyou, so don’t bother brute-forcing it. If you, like me, quickly spotted a possible user, and are banging your head against the wall trying to login with him, go to the basics, what do you usually try when you see a login form even before rockyou?.
If you can’t get a GUI then you probably need something else.
Finally for privesc I went straight to root, and again it was very, very simple, I almost want to hit myself for finding the thing needed to exploit it in less than a minute and taking hours to think about a way to use that. If you find it but can’t see how to exploit it, changing your path usually helps you see things differently.
I would like to discuss certain steps with people who rooted the box too, for example how you went from non-GUI to rev-shell because every time that I went there I saw that I was the only one doing it my way. Also about what was the intended way to get user, since I went straight for root.
hey all
Fun box, thanks Burmat.
Spent ages trying to get tty in odd ways, because the which command does not append a 3, oops.
PM me if you want a hint.
Done.Feel free to PM
nvm did it, thanks to @cotp