Registry

Spoiler Removed

I am stuck at user. Can someone help me out, please?

fun box… liked all components of it… few cheeky things in there but definitely had to be creative to get all correct access… :slight_smile: thanks @thek

I’m stuck trying to get user, my attempts to log in always give:

Error response from daemon: Get https://d*****.r*****.h**/v2/: dial tcp: lookup d*****.r*****.h** on 8.8.8.8:53: no such host

Any pointers would be appreciated, I just haven’t been able to figure out what’s wrong, or what I’m missing.

I am struck on root part.
i got pawrd from b.d* file
I successfully logged into webpage.
But i can’t get anything .
Someone please help me.

Type your comment> @seethe said:

I’m stuck trying to get user, my attempts to log in always give:

Error response from daemon: Get https://d*****.r*****.h**/v2/: dial tcp: lookup d*****.r*****.h** on 8.8.8.8:53: no such host

Any pointers would be appreciated, I just haven’t been able to figure out what’s wrong, or what I’m missing.

Have you added it to vhosts?

Consult d****r + machine_name API documentation more.

I have got the user.txt flag as b*** user. I have found the creds and logged into the login panel.

I suppose I need to upload a rev shell, get w**-***a and then priv esc to root, right?

Edit: I’ve got wa user, is this the way? bt → w**a → root?

Nice one ! I really liked it and learned a lot.

Can someone help me for reverse shell ?maybe my code is wrong

Hint for those having problems with reverse shells/connections:
If the direction you’re going does not work, try going in the opposite direction.

Thank you @thek for this awesome box. This is one of my favorites!

I enjoyed it very much to step down to root and I learned a lot. And thank you to @p3tj3v for nudging me to the double b.

Nice one. Liked it

Need some nudges… I’ve managed to find the /b***/b***/l***** page as well as the d**** version api page. Have read the docs and understand that I’m supposed to pull images. However I’m stuck at both sides without authentication creds. Am I supposed to be bruteforcing or am I simply looking in the wrong place?

Type your comment> @hackerB31 said:

Need some nudges… I’ve managed to find the /b***/b***/l***** page as well as the d**** version api page. Have read the docs and understand that I’m supposed to pull images. However I’m stuck at both sides without authentication creds. Am I supposed to be bruteforcing or am I simply looking in the wrong place?

Have you tried any classic username/password combinations? I have maybe a few logins I try on every page I come across (as well as googling for the application’s default creds).

If you try that and are still stuck, maybe reset the box (people can be jerks). Bruteforcing should be avoided.

Currently stuck at bt user. From the hints provided here, I think I’m supposed to su to w-d*** and exploit r***c somehow? I’ve even gone through the php files but still can’t find anything useful. Would appreciate it if someone could give me a nudge in the right direction ><

I got the .crt file. Can someone give me a hint what to do next?

Go back to initial enumeration. You need to pass through that gate you could not pass at first. Look closely at file permissions, you might need to get other users permissions in order to get root.

@drdsol92 said:
Currently stuck at bt user. From the hints provided here, I think I’m supposed to su to w-d*** and exploit r***c somehow? I’ve even gone through the php files but still can’t find anything useful. Would appreciate it if someone could give me a nudge in the right direction ><

root@bolt:~#

■■■■. This box was a blast! My first hard box and the box I enjoyed the most until now.

Kudos to thek for creating this for us… Also kudos for all the people that brainstormed this puzzle with me: Rb1929, P3tj3v and Rolesa

Frustrating yet incredibly fun and fulfilling box. I embarrassingly way over-complicated the initial foothold. This box was a pleasure. Thanks @thek!

Thanks a lot @thek for this box. I had a lot of fun, really. I was familiar with the first technology used, but the whole root part was new and I felt a really nice sense of accomplishment.