Nice box, I don’t think its one ofmy favorites though. An intermediate level box (at least for user). Too much RTFM, although that is pretty much a preresequite for infosec, I find my self speed reading and missing stupid, obvous stuff lol. I’ll give this 4 stars, as it is straightforward, although if you don’t read everything carefully it can turn into a head banger. Some tips so others don’t have to scroll through the thread everytime they need some ideas/help:
Initial Foothold:
Probably the hardest step on this machine. But don’t worry its not that difficult. First like everyone else is saying make sure you enumerate the subdomains, completely, I mean every single commit and line of code. You will see two things that should stand out. One will help with getting a token for the api (look at the code if you’re getting syntax errors when trying to authorize), the other is a naughty programming practice that has something to do with accepting user input. After that its just about making sure you’re payload is working and formatted correctly. If people are having trouble with a nc shell that keeps dropping, ask yourself what symbol/command in BASH can open up a new thread/process in the background?
User:
Hmm, sort of a headbanger, but actually straightforward if you don’t rush things like I did. You actually don’t have to enumerate much. Its also basically about thinking how to leverage running a database query using the files and programs available to you. Also if you find some loot, don’t be like gog and magog and throw it away ;). If you retrace your steps and keep your loot, you’ll find more loot by enumerating more, maybe even a key to the casshtle.
Root:
Easiest, I shouldnt need to give anyone any tips here. Its best to read the --help of an interesting service that isn’t run by defualt on *nix machines.
GL!