Official Forge Discussion

Official discussion thread for Forge. Please do not post any spoilers or big hints.

Comments

  • Has the forum died??? Not a single comment. I guess everyone is doing Discord now. Well nice box even if I would have rated it as easy and not medium.

    f1rstr3am

  • Type your comment> @f1rstr3am said:
    > Has the forum died??? Not a single comment. I guess everyone is doing Discord now. Well nice box even if I would have rated it as easy and not medium.

    It hasn't completely died. I've been staring at this one forever and I feel like it should be simple but it's not coming to me.
  • Type your comment> @f1rstr3am said:
    > Has the forum died??? Not a single comment. I guess everyone is doing Discord now. Well nice box even if I would have rated it as easy and not medium.

    hi.hint pls!
  • edited September 12
    Type your comment> @mmd78 said:

    > hi.hint pls!

    Have you enumerated subdomains? After that look for a provided way to access said subdomain(s).
  • Thank you for the box. I had fun with it.
  • edited September 13
    Good box.

    Hint - Don't trust your browser. That is all you need.
  • User: Enumerate everything and when you find something just follow the path and use resources available.
    Root: Do what you always should do first and then if you see something that you don't know what it is learn more about it.

    f1rstr3am

  • User/foothold: Was hard for me because I have done it for the first time. Enumerate the machine and then try to understand how to exploit it. I had to use some nudges to make it happen. After knowing what to do, it is pretty straightforward. (Look at machine name to get the exploit)

    Root: the easiest root I have encountered so far. Literally, the first thing I've done and tried. Just "break" something and think about what can You do with it.
  • Type your comment> @gnnr said:
    > Type your comment> @mmd78 said:
    >
    > > hi.hint pls!
    >
    > Have you enumerated subdomains? After that look for a provided way to access said subdomain(s).
    >

    tnks
  • > @Dante34 said:
    > Good box.
    >
    > Hint - Don't trust your browser. That is all you need.

    tnks for your hint!
    actually that helps me!
  • need a nudge!
  • edited September 13
    Hey,

    My first medium machine, and I'm struggling a little to get any further than the U***** page.

    Could anyone who's got the user.txt or rooted, please message me some hints, I'd be very grateful.
  • Type your comment> @Monicon said:
    > Hey,
    >
    > My first medium machine, and I'm struggling a little to get any further than the U***** page.
    >
    > Could anyone who's got the user.txt or rooted, please message me some hints, I'd be very grateful.

    I don't know where you're stuck
    But to get a foothold, remember what you have to think about when there is a field that deals with the URL

    If you need more small hints DM is open
  • Nice box. Some good hints above too, especially from @f1rstr3am and @N4gi
  • edited September 15
    Got user, now what? lol. The attack surface is so small, I don't know what to do next on the path for root. Do I still mess with the thing that got me user? Or do I mess around with trying to upload things?

    Edit: Got root! Hint: Think about what clues in your pocket you haven't used yet, and look for ways to utilize it (remember what you have access to). After that part, break something!
  • THIS IS MY HINT

    Hilbert

  • Contributed to giving you that respect. Really nice box that practices the fundamentals.

    Here's how to get by:
    1. Enumerate ports.
    2. DNS translation.
    3. Fuzzing. Tip: Small dictionary will suffice.
    4. Hardest part of Forge by far: Bypass upload restrictions. Tip: Name of the box should match something in the 2021OWASP top 10.
    [Foothold]
    5. You should have discovered some interesting notes on how to execute commands.
    6. List what's on the box and use that to connect to the box.
    [User]
    7. What can you run as root?
    8. Understand what it does. Tip: Don't play by the rules.
    9. Run your privesc.
    [Root]

    Where is my signature?!

  • I've enjoyed this box a lot.
    Hardest part, as usual, was getting a foothold.
  • User was so fun! Congrats @NoobHacker9999 !!
    the forum hints have been helpful ;)
  • Very enjoyable box @NoobHacker9999 !!
    Forum was helpful on this one, thanks!
    Happy to help if you need a nudge...
  • edited September 18
    Rooted <3 contact me in PM for an help
  • Ok Rooted :wink:

    Nice Box, I'm so satisfied to rooted it without help
    My first Medium Box !

    PM if you want ;)
  • I did Sub-Domains Fuzzing and I got a****.forge.htb as a sub-domain, any hint about how to access it ?
  • Type your comment> @CyberRobotX said:
    > I did Sub-Domains Fuzzing and I got a****.forge.htb as a sub-domain, any hint about how to access it ?

    Maybe some For**ry might help :)
  • Type your comment> @EF3X0S said:
    > Type your comment> @CyberRobotX said:
    > > I did Sub-Domains Fuzzing and I got a****.forge.htb as a sub-domain, any hint about how to access it ?
    >
    > Maybe some For**ry might help :)

    I know there's a S*** vulnerability but I can't exploit it :'(
  • Rooted. Thx @szymex73 !
    - User was not trivial (never heard of this TYPE OF THING before
    - root took me less than 5 minutes though ^^

    As always, pm if stucked ;)
  • edited September 21
    well i am getting internal server after note, anyone any idea related to this?,
    well my bad i think secondone is firstone value...
  • One of "the" best boxes I have played recently. Highly recommend this one if you are trying to go from noob to hacker. DM if you need help.
Sign In to comment.