Luke

Type your comment> @gm0 said:

Rooted!

This box reminded me of a date I was on a few years ago - first part i was pleased with thinking i had probed where i needed to, got the responses I needed and it was going to be easy. As it went on i encountered things I had not done before, learned a few new tricks and spent quite a few moments trying to work out what does in where.

Once I had finished I sat on the couch catching my breath feeling please with myself!

LOL. I enjoyed this. Congrats!

Any help guys why am I getting “please auth” even after supplying the token???

I just got user and root files, also got root shell!

Nice box for the job you need to do on port 3000.

PP

Hi guys . i get usernames and the Password W******* from port 3***, i tried in combination the usernames with that password on 3 login pages, but nothing works. Im stuck, any help?

Type your comment> @Maxisadas said:

Hi guys . i get usernames and the Password W******* from port 3***, i tried in combination the usernames with that password on 3 login pages, but nothing works. Im stuck, any help?

Im on the same boat.

@Maxisadas said:

Hi guys . i get usernames and the Password W******* from port 3***, i tried in combination the usernames with that password on 3 login pages, but nothing works. Im stuck, any help?

@MrP4p3r said:

Im on the same boat.

All the users you found have their own passwords that need to be obtained. Same way you found that password you can find the other passwords that will work somewhere else.

Rooted!

Well, I think I’m getting better, instead of spending a whole week working on a machine, it’s been “only” half day. haha

Thanks
@ixxelles @IdeaEngine007 @s1mple

Feel free pm me for help.

Im having trouble getting the token. I am trying to authenticate through curl, but Im assuming my syntax is off as i am receiving a forbidden result instead of a token. Can someone help push me in the right direction

Any help guys why am I getting “please auth” even after supplying the token???

Guys i cant understand what i forgot to enumerate. I found in the f** the file for_cht. 2 web control panel( /mt and p 8) and the 3* service. I already know the syntax i need to get the token but i cant find the credentials i need to add to that request to get the token. Any hint?

edit: rooted

hint: try to open all the files that u find with the dirb*** scan(even the ones that u usually ucant open)

This machine should be simple and straightforward, given that you know the basics of js.

A few things might delay you though, so take the following notes:
1-Use dirbuster with recursive mode
2-At the auth step you have to guess a username, but it should be one of the top 5 that come to mind
3-Username might be case sensitive
4-No need to overthink, or even try different combinations of creds, keep it simple

rooted. Good box to develop web enumeration skills.

Hints : Take note of all (and I mean all) ports which are open on this box as you will need all of them.
Enumerate everything (zap \ burp spider is not sufficient here) to find multiple login pages.
The service running on the strange port is not a web site but behaves like one and you will need to use a combination of all credentials found and some knowledge of JWT tokens. Medium do a good post for reference on this element.

PM if you need a nudge

Type your comment> @tiger5tyle said:

Authenticated into A***** but stuck. Just got a pretty much blank UI. Rabbit hole?

Edit: Nevermind. UI is there after reset. Someone must have spooned it.

how you got authenticated ?

Can someone PM me.I need help

Wow. In hindsight simple, but once again the learning: do not assume anything. Verify everything. Somehow it got in my head that the service on 3 is graphql. What the ■■■■.

Rooted.

Once you enumerate all the stuff, user & root are uber easy. The hard part is avoiding the rabbit holes that are quite a few in this box.

feels like i’m going in circles with this box…
i have got a gang of user creds but they dont seem to work anywhere…
and there is at least 3 spots to enter them…

i could use a little help… plz p.m. me

edit * rooted thanks mogyub!

Rooted. Not much trouble other than some messing up during some late stage enum.

Not my favorite box, but learned some things along the way.

Type your comment> @v01t4ic said:

Thanks @iamsundi for his help.
Now i know that not all seclists are the same. Was missing one URL in my enum results.

At this point there are more than enough hints on this thread. Especially medium.com tutorial. After you get the token use it as much as possible and use what you found to generate new URLs to get even more info.

Ok , the medium part I needed to learn but it has frustrated me so much I could no longer think what to do with the users. Nice post mate!

Can someone help me with the t**** thing?