Luke

Can someone help me with the t**** thing?

@Sephrost
the medium page has the correct syntax, someone also mentioned earlier that not all applications use the same super user name, if you have the pass play a little with the user

Rooted eventually, the only reason i did not quit was that it was rated is otherwise I would have long left it.

I have 4 sets of creds from port 3*** but can’t seem to get any to work on any of the 3 logins? Tried different combinations and capitalisation to no avail. Could someone PM with some help?

Edit: rooted, I must have missed one with all the logins! Feel free to PM me for help

Just finished it!
Thanks to @idealphase and @ShayNay

Happy to assist if anyone needs a hand :slight_smile:

Type your comment> @GibParadox said:

Happy to assist if anyone needs a hand :slight_smile:

Thanks this man :slight_smile:

This is only my second box ever, I have enumerated every dir I could find. Unfamiliar with j**n so when I am using the Medium article I am unsure if the error I am getting is related to a bad user/pass combo on the odd port for Auth, or if the medium article someone mentioned in here needed tweaks to it aside from the obvious http.

Any help would be appreciated.

Overall this was a pretty good box. Not too difficult for new comers but also not an instant win for more experienced CTFers. Great for teaching better enumeration practices, just because a tool you might always use doesn’t think something is considered a valid response, doesn’t mean you should.
Happy to help through DM.

How to auth node.js token any hint please

Type your comment> @heartbeathack said:

How to auth node.js token any hint please

There is a medium article in this thread, you may want to read it.

Enumerated ports 3*** and 8***. The second with no success though. Can someone point me to a direction?

Asked an hint to @vj0shii and after 35 minutes I got user and root!
Very easy machine once you understand how n***.js E*******s requests and their headers work.
If you have enumerated properly the rest should flow pretty smoothly!
Feel free to ask for hints.

Type your comment> @Imarobotlol said:

Enumerated ports 3*** and 8***. The second with no success though. Can someone point me to a direction?

try playing with the number of threads and lower them to the bare minimum

Thanks @GibParadox on better medium link and finally solving this strange and fun machine.

Do you need the username/password to get the auth token?

Once again, after a brief review of the machine, I saw the benefits of reading the comments here at forum. Comments by @anonymous187 will help, especially.

Very CTF-like box and it doesn’t even take 2 hours to reach the flags, if you know how WEB pentesting works.

I can do my best for those who need help. (But please tell me what you have found so far in the message, before asking for help.)

Good box.

Nice. More of a lesson in enumeration than anything. That’s all you need to root this box. PM if you need help.

Type your comment> @anonymous187 said:

Let me try to hint you guys as much as i can without spoiling

1- We all have to respect the old and knock at their old door, they give wise words
2- Enumeration is the best way to get in and reveal things so enumerate all services and ports
3- When you enumerate EVERYTHING and collected all information (Uns , cls, LI* pages), time to go to the playground and get some tokens
4- cURL will help you buy your playground tokens (but dont forget to give it the c
ls)
5- You got the tokens??? YAAAAAY it’s time to play. I mean play with the Request header and the enumerated directories, this will allow you to win prizes =D
6- Use the prizes and different combinations with the founded L
I* pages so you can get the Grand Prize
7- What do you want more, you got the Grand Prize !!! Highest prize = Highest port (if you know what i mean :wink: )
8- That’s about it, you went to play, you got the prizes, went inside the highest port, time to go HOME =D

I would like to thank @BapaH for his assistance

I am struggling with 5 and 6. Not finding the second half of the combo, busting down more doors now. Found /U and /L at 3k but that’s it.

Finally realized my mistake thanks to @tykz and @mogyub and their simple but perfect hints. If anyone else is struggling where I was just stay where you are and build on what you have by hand. Great box, learned a ton about authentication.