Registry

Spoiler Removed

Rooted.
Really frustating machine, but it was a great teacher to me.

User 1: What a ride. Enumerate and don’t ignore anything. Scan smart not hard.

User 2: Quite simple to find if you enumerated, but not so simple to actually do it. You’ll take a step backwards =) You have to be fast and think outside the box. You can’t outrun it, but you can outsmart it. The more creative you get, the better.

Root: Tunneling and Enumeration. Luckly my first enumeration command had what I needed. Then the hardest part of this machine: Exploiting the thing. I had to do a million tests and troubleshoots before it worked, but it worked. I didn’t think I needed a root shell, so I didn’t try, but I think it’s possible.

Rooted.

Fun box!!

Very easy for User but what a day for root.
PM me if you’re stuck, you’ll need patience for root.

Got rootflag, finally! One of my favourite boxes so far, awesome learning experience.

Feel free to PM me if you need any tips!

@bumika said:

Since I knew the result of the earlier “reverse” nmap scan, I realized that I needed to apply “Server” method locally. The only problem was scarcity of a proper server. At that time I found an important word (p******e) in a message on this topic (thank mate), and hit my head gently. The solution is very simple.

I needed reading some pages from a tutorial of the application and readme of the server and constructed the finish which contained 5-10 elementary steps. It was a joy to see that my commands ran without any error.

Did you use r***-*****r or r****e?
I tried the first one, but with no luck!>

Type your comment> @BadRain said:

Since I knew the result of the earlier “reverse” nmap scan, I realized that I needed to apply “Server” method locally. The only problem was scarcity of a proper server. At that time I found an important word (p******e) in a message on this topic (thank mate), and hit my head gently. The solution is very simple.

I needed reading some pages from a tutorial of the application and readme of the server and constructed the finish which contained 5-10 elementary steps. It was a joy to see that my commands ran without any error.

Did you use r***-*****r or r****e?
I tried the first one, but with no luck!

[Edited]: I chose the first option.

Stuck with the creds on the API, any nudges?

i believe both uname and pw is the top 1 on the wordlist…

@0byte, silly me, got it thanks!

Don’t really do the forums, but finally rooted this and would like to say thanks to @thek

Really enjoyable, and the user part was a great example of how you can gain a practical understanding of some theory. Root was frustrating but RTFM able, Really enjoyed it.

Argh, have hard time cracking the s** key for b***, please someone PM for some nudges.

EDIT: Nvmd, got it, thanks to @Rolesa, missed an important enumeration.

edit: probably spoiler

the machine behaves differently compared with this morning, after issuing a reset it should be in the exact same state, but it is not

edit: probably spoiler

about 1,5h after reseting the machine, the machine allows me to execute the uploaded reverse shell… looks like I missed part of the URL (shell.php?numeric)

edit: got it

Can anybody give me a hint, because I stuck on enumeration and I can’t find anything people talk about here. Only found api ( but no creds), b****hp and in

EDIT: got user, but I can’t find a way to get a second user. I also found .c*t file, but I don’t know how it can help me. Can anybody give me some hints?

Stuck at a point where I am able to s** as b*** and log in to the b* app with the creds I found.

The next step is most likely to get a reverse shell through the app, but not sure how to proceed with it. Nudges are highly valued!

Edit: Moved a step forward, thanks @aho!

oh man finally rooted, PM for nuggets

Finally I got my root shell.
Nice box, user part was pretty straightforward.
Root part is so cool.

Allelujah, rooted. After a reset, someone have deleted the root flag, i’ve searched everywhere… -_-’