FluJab

Type your comment> @nijat11 said:

Any hint on direct ip access not allowed? http header does not work :frowning: even with ip 20.xx.xx.xx5

This is indeed annoying. Im stuck on this already second day!
Is everything fine with this machine? Its quality concerns me very much.

Please anyone PM me, for discussing Direct IP access not allowed on https://s*****-c******.flujab.htb/

@3mrgnc3 thanks for your work, i had several days of fun and pulling my hair out. eventually, i got my precious root.txt in unintended way.
as for dispute, if this box is real-life or not. i guess when you got a lot of rabbit holes, dont have source, connections are randomly dropped, when you scan, this is very real case. when you attack, most of sane people defend. that’s normal. just dont be %27-guy xD

Hey @m4rc1n & @nijat11

Burp all your requests that are being denied and check if you can’t access what you expect because of your browser or the server.

Maybe it’s not the quality of the box… but your knowledge of browser caching that’s the issue?

Thanks @14dev
You are very welcome :wink:

Hi there,

I hope someone can guide me on how to get info from the nurse.
I was able to get standard info from b*****g and c**********n, but i am struggling to get more info from her.

Can someone give me a nudge on that?

Cheers

EDIT:

Got the point here. Learned a lot on how to ask correctly and get beyond the expected answer.

Hi @Sh11td0wn

The clues are in the box name and this post thread.

removed

Type your comment> @m9rcin said:

Type your comment> @3mrgnc3 said:

Hey @m9rcin & @nijat11

Burp all your requests that are being denied and check if you can’t access what you expect because of your browser or the server.

Maybe it’s not the quality of the box… but your knowledge of browser caching that’s the issue?

Thankx, I have user but the last step to get it … Maybe I missed something during enumeration, but I do not really see how to guess what to get without extra help (even after “suffering” during OSCP course). Curious if there was actually any clue for this on the box.

Finally Got root <3 I really Love This Box. Getting User Is like ■■■■. Root is fun I appreciate you effort @3mrgnc3 love this box. Learn tons of things

@HadesAKM said:

Finally Got root <3 I really Love This Box. Getting User Is like ■■■■. Root is fun I appreciate you effort @3mrgnc3 love this box. Learn tons of things

Very happy to please :wink:
Well done on your pwnage of FluJab.

Finally rooted Flujab!

Awsome machine! I voted it as non realistic at all, because in real world, we will hardly find targets with vulns (and other funny things) on each every single step of our invasion.

That being said, i learned a lot on literally every step from initial enum to root shell.
I want to thank the author and the guard angels that helped me.

Everyone is welcome to PM me for hints or discuss the workflow.

Cheers

How do you access to the sub I got from the nurse? One way it returns direct ip access not allowed, the other way it returns 301. None of the usual WAF bypass headers seem to work.

@krypt

Double check what your browser is requesting. Try using Burp intercept and don’t assume what you type into a url is what your browser will request.

Modern browsers cache way more than expected in order to improve page load speed.

If that still won’t work… Thats either because you haven’t recently spoken to the nurse or someone else told you what she said.

Yes it was the cache figured it out later.

Whaou, not a piece of cake box.

Thanks for the “nurse talk”, it was an occasion to use a personal tool that I wrote. it’s a good opportunity to improve it.

Now stuck on the area where the nurse guide me. See the closed door and no clown to end the party (I it make you crazy, tell him to stay at home). Try to c***k given hint not work and not find any bug to exploit.

What did I miss?

Oh my, what a box… I really didn’t want to ask for help but here I am… stuck after a week.

I have one question: when talking with the “Nurse” I just kept on scope as suggested, but it seems I cannot use the information I get. Do I need to get out of the scope?

Oh my, what a box… I really didn’t want to ask for help but here I am… stuck after a week.

I have one question: when talking with the “Nurse” I just kept on scope as suggested, but it seems I cannot use the information I get. Do I need to get out of the scope?

If we have the same definition of the word scope for this machine, when you get the good info, you will find the new “scope” with it.

Type your comment> @neuronaddict said:

Oh my, what a box… I really didn’t want to ask for help but here I am… stuck after a week.

I have one question: when talking with the “Nurse” I just kept on scope as suggested, but it seems I cannot use the information I get. Do I need to get out of the scope?

If we have the same definition of the word scope for this machine, when you get the good info, you will find the new “scope” with it.

I mean to not get out of scope: to not attack/test services that do not belong to flujab.
Let’s say that the “Nurse” can tell you tales from 3 different books: os, v**********s, and pt. But only v**********s is in the scope as it is the book used by the flujab “company”. So, do I need to get out of the scope and tell the Nurse to readme the other books?

Finally rooted. Root is the easiest part I think. It has been frustrating at times but still a cool box.