Craft

Well this was interesting. The user had layers and layers, like Shrek… i mean onions. The root on the other hand was just… getting it. thanks @rotarydrone

Rooted!

Finally! Finished with this ■■■■ box… Though it was fun in hindsight.

Hi guys, trying to get my initial shell but keep on getting this error {“message”: “An unhandled exception occurred.”}, can someone help me?

edit: never mind made it work
user owned
root owned

Finally rooted.
User is very complex and layered.

The best hint I’ve found on the forum, for jail escaping, was “LEARN SQL” :smiley:
It sounds a bit harsh but it’s not.

Root is easy if you have experience with do****.
I don’t. But if you read the documentation from gogs you’ll figure it out.

Among the best machines I’ve done, it gets you in touch with several technologies, thanks @rotarydrone.

Can anyone help me with the payload? I dont get it to work for some reason.

I used gobuster but I can’t find any files or directories and none of the links work, I’m really still stuck on the index page. Can someone help me?

@rotarydrone awesome box, I really loved the process and the design, plus learned some more, which is always nice.
Hope to see another box of yours soon :slight_smile:

@sazouki said:
■■■■ i got ssh key from that use repo and it ask for passphrase when im trying to login ?

Same here. "Invalid format for [s**] key " a nudge would be helpful. Figure I’m close to user.

Ok, I got user now. I now understand why the errors…needed to look closely at the key I had.

Then I’m guessing I will focus on v**** to get root although I have no experience with d*****.

Yep. root.txt. Had to reset the box though before the final command worked to get me in.

Can someone please PM me about getting user. Cant understand how correctly interact with JSON and where to look to drop a shell…

Can someone PM me for a hint?

I am currently in Jail, found creds for DB and don’t know where to use it (they are not usable in G***). I changed the SQL statement in the file I found. to enumerate databases and tables, but no success so far.

Rooted.
Initial was tricky, but after that getting user.txt and root.txt took me about 30 minutes - probably because I spent way to much time reading all source code.
PM me for a hint.

PM for nuggets

@rholas i pm u

i get cred of user dinesh and i’m able to add brew to db
what’s next ?

any help for error at loading key invalid format ??

Rooted. Really enjoyable machine that had me stuck in a few places. PM me for nudges :slight_smile:

Type your comment> @voidhofer said:

I am stuck at the jail. Already got the credentials, all three of them, but I have no idea where to use them. Already tried SSH and looking through their gogs repos, but nothing worked. Can Someone please give me a hint?

I thought you were really in the can cuz your avatar almost looks lke a mugshot :wink:

Can anyone plz tell me why i cant seem to access the api or gog pages? They are returning as Server not found… Ive edit my /etc/host/ file to reflect both name resolves but still nada, im at a bit of a loss. Can anyone help me on this?

Can anyone plz tell me why i cant seem to access the api or gog pages? They are returning as Server not found… Ive edit my /etc/host/ file to reflect both name resolves but still nada, im at a bit of a loss. Can anyone help me on this?

I had to restart my browser after adding updating my hosts file.