Oz

YOU HAVE NO POWER HERE! :slight_smile:

@bobthebuilder said:
YOU HAVE NO POWER HERE! :slight_smile:

Is this useful? I found it too. But no success in anything. Googling i found a snippet of the script of the The Wizard of Oz (1939) with a same line in the script. Maybe there is something there or not…

The fact that it is not pwned yet, after so many hours, shows the difficulty i think…

Om Nom Nom

“You’re just trying too hard… nobody hides anything in base64 anymore… c’mon.”

@ozymandias said:

@bobthebuilder said:
YOU HAVE NO POWER HERE! :slight_smile:

Is this useful? I found it too. But no success in anything. Googling i found a snippet of the script of the The Wizard of Oz (1939) with a same line in the script. Maybe there is something there or not…

The fact that it is not pwned yet, after so many hours, shows the difficulty i think…

No, its not useful. I’m just pasting random funny bits I find along the way…

“You are just wasting time now… someone else is getting user.txt”
“Look… now they’ve got root.txt and you don’t even have user.txt”

Funny stuff :wink:

@bobthebuilder said:
“You are just wasting time now… someone else is getting user.txt”
“Look… now they’ve got root.txt and you don’t even have user.txt”

Funny stuff :wink:

hahaha… :wink:

\x is this some encoding any guess or deadend

you get so much info from the box, even limited file access, still not in.Probably another facepalm after I know how 8D

@D4Vinci said:

it gives random strings for any unknown routes making it nearly impossible to enumerate.

Yes, the application has a custom 404 errorhandler (like another active challenge)
To enumerate, do not use the GET method. It’s possible to find a route with a name like ‘/??e?s’ and maybe others.

Keep in mind that everything may be useful later.

This box is a nightmare.

I saw the first blood needed 15 and 18 hours, so much effort for that 30 points. LOL.

Yeah, I have to wonder if it was tested.

@waywardsun said:
Yeah, I have to wonder if it was tested.

100% was tested for 4-5 weeks before submission. All items and “rabbit holes” are working as intended. The box was tested again after submission by the HTB team not for rabbit holes or “unhackable” but does it have a flow, is it stable, are the steps logical to follow. Just gotta look a little harder and try different things. Never rely on a single tool for your enumeration or cracking.

@waywardsun said:
Yeah, I have to wonder if it was tested.

they dont know what medium means, but it’s not new.

@incidrthreat

I think that you created a nice box. For a noob like me it is taking me out of my comfort zone. Probably it will take days or weeks for me even with the help of hints :slight_smile: But always love to play with python boxes.

seems that someone has taken alot of time to hide flags… where ever i go i see dead ends

Does anyone have suggestions on some different tools to use for enumeration? I have used the usual suspects without success. I am not very good with web so some pointers to resources would be appreciated.

Any tips to enumerate this box?