Bankrobber

Hi Gio! Thank you for your hint.
I found my way and rooted it immediately after reading your welcome post here.

@Gioo said:
Hi all

and thank you for very interesting and very realistic box!))

I think I may have my path to get an inital foothold, but stuck on how to encode…

Anyone has any hints for user ?
Enumerated a bit a found the user and password are getting base64 ecnoded while you have the ability to send money and you already know your ID - this way you could send money to users and confirm if they are existed but im not sure about that - an hint would be nice - So i thought of ID hopping and getting information this way

Not sure about anything yet

Type your comment> @j3wker said:

Anyone has any hints for user ?
Enumerated a bit a found the user and password are getting base64 ecnoded while you have the ability to send money and you already know your ID - this way you could send money to users and confirm if they are existed but im not sure about that - an hint would be nice - So i thought of ID hopping and getting information this way

Not sure about anything yet

I am also still working on getting a foothold on user. I too have noted how id can be enumerated given how authentication is performed in user pages. After much busting’n’fuzzing I am not (yet?) seeing how admin pages can be accessed and given one of the js files would seem to be necessary for host user foothold. (Hope not too vague but not spoiler here.)

@ue4dai said:
Type your comment> @j3wker said:

Anyone has any hints for user ?
Enumerated a bit a found the user and password are getting base64 ecnoded while you have the ability to send money and you already know your ID - this way you could send money to users and confirm if they are existed but im not sure about that - an hint would be nice - So i thought of ID hopping and getting information this way

Not sure about anything yet

I am also still working on getting a foothold on user. I too have noted how id can be enumerated given how authentication is performed in user pages. After much busting’n’fuzzing I am not (yet?) seeing how admin pages can be accessed and given one of the js files would seem to be necessary for host user foothold. (Hope not too vague but not spoiler here.)

Already done it
Trying to get the next step now

Still messing with it… I can almost smell a password…

Rooted. Not sure why this was rated a 50 pt box… personally found all the current 40 pt boxes harder than this one.

Hints for user: reminded me of some OSCP boxes. Think client-side and chaining together some web app vulns.

Hints for root: The thing to exploit will be pretty clear and a variation of what worked for user will work here too.

PM for hints.

Rooted:

User: Client side thinking

Root: Enumerate normally , when you find it, “write a lot”

Got user, and was on the path to root when shell dropped and won’t come back. This box is very temperamental.

Got user now on the way to being root

For user I’m stuck on b*****************p. ::1 is killing me.

Type your comment> @iliketacos said:

For user I’m stuck on b*****************p. ::1 is killing me.

I was also stuck on the same thing for whole day. It can be bypassed. Try locally first :wink:

Type your comment> @mpzz said:

Type your comment> @iliketacos said:

For user I’m stuck on b*****************p. ::1 is killing me.

I was also stuck on the same thing for whole day. It can be bypassed. Try locally first :wink:

Did you mean can or cant?

Type your comment> @ijwbah said:

Type your comment> @mpzz said:

Type your comment> @iliketacos said:

For user I’m stuck on b*****************p. ::1 is killing me.

I was also stuck on the same thing for whole day. It can be bypassed. Try locally first :wink:

Did you mean can or cant?

can. It can be bypassed, its not a rabbit hole

@mpzz can I PM you?

Is anyone else having huge difficulties getting their shell to pop? Sometime’s it’s instant, other times it will take up to an hour

Type your comment> @clubby789 said:

Is anyone else having huge difficulties getting their shell to pop? Sometime’s it’s instant, other times it will take up to an hour

Same here… I dont know why.

Spoiler Removed

And rooted. Very interesting box, but needs more testing; shell was impossible to drop half the time, and if someone killed ******.exe then it was a reset :confused:

  • Initial access: Enumerate the site to understand how the frontend affects the backend. Don’t be afraid to wait a while if it doesn’t work immediately.
  • Shell: If a tool doesn’t exist, put it there
  • Privesc: Once you find the interesting process, the two stages in it are fairly simple variations of things you should be familiar with.

Pretty good box, but the initial access using the web app is often unresponsive or even takes longer than the stated timeframe