Player

Found a hash value on somewhere. Probably SHA-1. But I can’t crack it. Any idea?

Using some interesting vulnerability I found credentials for a user to login to some service but that stuff is restricted beyond anything. Searching for ways to escape I found nothing that worked, even looking at the config didn’t offer anything there. Again using the vuln I found out that I can forward things and get a login to some other service but I can’t seem to get that to do code execution for me even though I am a super user on that service.

Any useful directions where to poke it with a stick?

I really enjoyed this box, user was really really cool. sup3r h4x0r. root was cool too. Really like it, cheers to the creator

I’m staring at a page that asks for credentials and also found some strange looking info somewhere else. I feel like I’ve enumerated everything but don’t know how to piece things together. It’s also possible that I overlooked a crucial piece of information. Can someone give me a push in the right direction?

Type your comment> @zaicurity said:

I’m staring at a page that asks for credentials and also found some strange looking info somewhere else. I feel like I’ve enumerated everything but don’t know how to piece things together. It’s also possible that I overlooked a crucial piece of information. Can someone give me a push in the right direction?

It sounds like you’ve found several vhosts and one of the security findings related to one of them. If you look at the security findings, there’s something mentioned about another vhost which is likely the next step.

I’ve been enumerating for days and have found some information about a vulnerability. I just can’t find an entry-point to start solving the puzzle. Anyone willing to give me a small nudge?
Edit: Found a lead thanks to a @deviate .

finally rooted this, thanks @deviate for the initial nudge.

Hints for user: there are probably multiple paths to getting user. the path i took was pretty run-of-the-mill in the end but required some careful research, reading source, and trial and error. i overlooked some initial information (don’t trust what you read in this forum) and spent way too many days in enumeration ■■■■.

Hints for root: lot more straightforward than user.

feel free to pm for hints.

EDIT: having gotten some PMs and read some other writeups, I may have found an unintended path. The intended path appears more tortuous.

I learned so much on this box…thanks @MrR3boot ! That first CVE blew my freakin mind.

Man, that’s a difficult one.

I’m stuck before User, can anyone tell me if the cct.p** on the sng VHost is the right path to initial foothold?
Thanks

edit: nvm, total rabbithole

Rooted ! Thanks to creator … I really enjoyed the box … If anyone in trouble ping me

im stuck in jail, need some help with a breakout if someone is willing to nudge.

PS, what I got is, 1. the jail (i can enumerate all files from jail, but not get their contents) and 2. access to two other service users (i can read files with one of these) 3. a family guy which seems to be a total rabbit hole.

PPS. This is a seriously cool box

Is the countdown timer a rabbit hole? Having a hard time with the initial foothold.

Edit: seems so. Got something anyway, nvm

Is the upload form a rabbit hole? keep getting 404 when trying to access uploaded files.

why server is not compressing my file after uploading avi file ? it says no file selected

Hey there, I’m stuck at a place where I can upload things. Would anyone mind giving me a small nudge what to do there to move on? Thanks in advance!

/e: Alright, moved on. Thanks to a little nudge from @Leonishan .

Anyone any hints on how to get out of jail?

If anyone needs help at this step:

Look at known OH vulnerabilities, don’t get distracted by the p*l version.

Got user. Nice journey so far. Another big THANKS goes out to @agr0

got tired of watching so many videos guys , give me a hint on initial shell. thanks in advance

@ScreenSlav3r said:
why server is not compressing my file after uploading avi file ? it says no file selected

May be it is looking for other format than avi ?

rooted a days ago, but it’s really great box, got root in two different ways :smiley:
thanks for the creator :smile: