Teacher

@dxaxpanda said:

@Ruri said:
This box is cancerous. I don’t know what magical file people are seeing with credentials, but I’ve been through about a thousand of them and seen absolutely nothing. Super fun vector.

Carefully check the sources and you will be just fine…

I just found it. I maintain my last position: this box is cancerous. That was the stupidest vector I’ve found in all the time I’ve been doing this. I now see the little “hint”, but I maintain that this was idiotic and unrealistic.

Is anyone else having trouble with accessing the site?

EDIT: Do the credentials for the webapp change when the box is reset? My creds arent working anymore

EDIT2: Reaaaaaaly struggling with box staibility. Its up for 2 mins then down for like 10, no one else experiencing this?

Finally rooted! This machine is very unstable with all the resets… Some hints to help:
-For initial foothold:
Pay attention to everything you see on the site, no need for gobuster, just think like you have OCD… and then be a little “evil”.
-For user:
Can’t give much away without a spoiler, just try to be user G**.
-For root:
Find something that runs, try to understand what capabilities this program give you and where it moves something, and use this to get your root!
Hope this was helpful and not a spoiler!

My advice for everyone is just to move on to another box. This is a complete CTF nightmare factory and is not realistic in any sense of the word. If you’re prepping for OSCP or trying to hone real-life pentesting skills, you are wasting your time here.

Does anyone have any hints for me? I can reach 10.10.10.153 fine but the web app I cant get anything. Was having no problem yesterday. I reset my access config file for openvpn but still nothing…

@alrightalright said:
Does anyone have any hints for me? I can reach 10.10.10.153 fine but the web app I cant get anything. Was having no problem yesterday. I reset my access config file for openvpn but still nothing…

If you are on free like me just be patient!

All I can say is this is a well know CMS hint " learning "
It it is vulnerable to code injection

Any hint for getting user? I have a shell but cant find anything to read the flag : /

@xeto said:
Any hint for getting user? I have a shell but cant find anything to read the flag : /

Im in the exact same spot as you, currently digging around

@Phrenesis2k said:

@Sekisback said:
found hidden txt from G*** made a passlist with all chars according to the txt. used his first Name as user. tried it hydra and burp. nothing found :grey_question:

Username is case sensitive. So try again. :wink:

According to my tests, it’s not.

@alrightalright said:
I’m missing something… Cant find where to log in. nmap isnt showing anything. cant see anything with spider. Anyone drop me a hint ? ::tired_face:

try gobuster

@deleite said:

@Phrenesis2k said:

@Sekisback said:
found hidden txt from G*** made a passlist with all chars according to the txt. used his first Name as user. tried it hydra and burp. nothing found :grey_question:

Username is case sensitive. So try again. :wink:

According to my tests, it’s not.

It is case sensitive on the login Page !

@Baikuya said:

@deleite said:

@Phrenesis2k said:

@Sekisback said:
found hidden txt from G*** made a passlist with all chars according to the txt. used his first Name as user. tried it hydra and burp. nothing found :grey_question:

Username is case sensitive. So try again. :wink:

According to my tests, it’s not.

It is case sensitive on the login Page !

I managed to log in with ‘Gio*****’ and ‘gio****’ and the same password.

Hi, I got root.txt not the wildest way i expected. Someone please help me with root shell.

@Ruri said:
My advice for everyone is just to move on to another box. This is a complete CTF nightmare factory and is not realistic in any sense of the word. If you’re prepping for OSCP or trying to hone real-life pentesting skills, you are wasting your time here.

I don’t entirely agree with this, it’s a bit 50/50. Yes, the initial part is pretty silly and very very CTF. The getting shell part is something that can happen in real life. Then the creator made another poor choice with how to get the password (very ctf again).
I can see the Priv esc part happen in real life as well, because it is just poor scripting which does happen allot.

Rooted the box :slight_smile:

Interesting box … shell can be a bit of a time monster. However, I did like the priv esc.

@deleite said:

@Baikuya said:

@deleite said:

@Phrenesis2k said:

@Sekisback said:
found hidden txt from G*** made a passlist with all chars according to the txt. used his first Name as user. tried it hydra and burp. nothing found :grey_question:

Username is case sensitive. So try again. :wink:

According to my tests, it’s not.

It is case sensitive on the login Page !

I managed to log in with ‘Gio*****’ and ‘gio****’ and the same password.

somone changed Creds then. You were lucky

any hint on root? Can’t find ‘running prog’ everyone’s mentioning.

edit: thanks to @jkr , moving on

I think someone put the root and user flag readable for everyone

now that I get the box, I understand that this is one of the great defects of this box. I’m sure that many, like me, will end up getting on the flag effortlessly because of this