Registry

Don’t really do the forums, but finally rooted this and would like to say thanks to @thek

Really enjoyable, and the user part was a great example of how you can gain a practical understanding of some theory. Root was frustrating but RTFM able, Really enjoyed it.

Argh, have hard time cracking the s** key for b***, please someone PM for some nudges.

EDIT: Nvmd, got it, thanks to @Rolesa, missed an important enumeration.

edit: probably spoiler

the machine behaves differently compared with this morning, after issuing a reset it should be in the exact same state, but it is not

edit: probably spoiler

about 1,5h after reseting the machine, the machine allows me to execute the uploaded reverse shell… looks like I missed part of the URL (shell.php?numeric)

edit: got it

Can anybody give me a hint, because I stuck on enumeration and I can’t find anything people talk about here. Only found api ( but no creds), b****hp and in

EDIT: got user, but I can’t find a way to get a second user. I also found .c*t file, but I don’t know how it can help me. Can anybody give me some hints?

Stuck at a point where I am able to s** as b*** and log in to the b* app with the creds I found.

The next step is most likely to get a reverse shell through the app, but not sure how to proceed with it. Nudges are highly valued!

Edit: Moved a step forward, thanks @aho!

oh man finally rooted, PM for nuggets

Finally I got my root shell.
Nice box, user part was pretty straightforward.
Root part is so cool.

Allelujah, rooted. After a reset, someone have deleted the root flag, i’ve searched everywhere… -_-’

Rooted, my first hard box was really fun. Thanks to everyone who helped me! @Rolesa @gorg @aho .
Please, PLEASE don’t delete flags next time, I’ve lost 1 whole day enumerating beyond the intended.

PM for nudges.

I got root.txt but not rooted yet!
Maybe tomorrow :slight_smile:

I wasn’t familiar with r****c but it seems like a really good tool.

– deleted

Need nudge towards root - have access as bt user. found some interesting files in the folder where the bt app is hosted and a ct file belonging to w**-d** user (couldnt extract due to invalid format). I see that r***c may be the exploitation path but dont know how to piece all this together. DM please for nudges.

So, rooted finally. My first hard box, what a journey! Had fun with this one. Thank you @thek

I’m not gonna write any tips this time- plenty of help already in this thread. Probably even too much. Nevertheless PM me for nudges if stuck.

Anyone else is having a problem, when logging in into the web app - the credentials are right, but it shows an “Uncaught Exception”, and cannot continue from there?
EDIT: Never mind, changed the browser, had some issue with cookies.

i’m really stuck on priv-esc, i’m on the webapp dashboard and I’ve tried everything I can to get revshell/codeexec… but i’m still there. Someone who can help me? D:

Any hint for initial part?
Found .r.h*/v2 but can’t find anything interesting :confused: tried enumeration . (have creds)

So, i’ve got the user b**t but have no idea where to look for root. i’ve found a hash from .versin file and it’s salt from the same directory. i’ve also got a login form in /bot. How should i proceed