Did this machine 2 days ago… spent 3 days… Root was easy, as i enumerated before that a lot. So root took 10 minutes.
Initial foothold was really nice, spent quite a lot of time… saw each file… and ■■■■ found what i need only after 3 time review of content. (am I blind?)
User this took me 2 days… as i got creds… got s…p…k… tried all passwords i found while enumerating… none of them worked for s… so tried to crack that key… and after 2 days i decided to check passwords again and type by hands, not copy paste… and it worked… What a stupid mistake!
None the less! Machine is great… especially initial foothold… which seems to be a typical error for developers (I did this mistake once… )
I managed to get my initial foothold, just been stuck on how to escape the “jail” others have referenced throughout this discussion. Any one willing to share some pointers?
I hate golang… figuring out this format for the injection is going to kill me… can anyone give me a nudge to help me figure it out… I know what I want to do to prove I can inject… I just have tried everything I can think of to match the right format. no luck though
I’ve been stuck on enumeration for three days. I’ve tried dirb, dirbuster, wfuzz, and dnsmap and none of them find the subdomains. I’m guessing it has to do with the SSL certificate, but am unsure. I’ve configured the hosts file and wfuzz and dirbuster have found the Swagger URL, so I know those two work, just not for the subdomains. Any hints?
Rooted this machine. Feeling so awesome after rooting since it is a quite challenging machine. (for me). Foothold and users took me two days while I only needed an hour for getting root.
You’ve got to be kidding me…! So I got shell pretty quickly, I mean the breadcrumb trail is right there for you. But then…2 days looking for the next step. Why are there no creds? Well apparently you only get what you ask for…What a plonker. I just needed to ask for a bit more. Still, took me another afternoon to get user. 3 days wasted - well when I say wasted, I mean: learning an incredible amount about systems I’d vaguely heard of but never played with. Now off to get root, which I think I may have already guessed how it’s going to work.
Thanks for giving a real novice a few more skills to hopefully help me transfer in to the pentesting world.
My only disappointment was the lack of proper British beers.
Edit: Root had in almost 15 mins, almost exactly as I thought. Great challenge, confidence to try the slightly harder boxes now.
Wow… 3 little characters in a script held me up for days, I kicked myself so hard.
user: the leader of the team will show you the way. Read scripts carefully(!)
root: Learn how to use the tool that is provided. One shot is all you’ll need.
can anyone pm me with initial foothold hint , like which repo to look into ??
Enumerate the repo you have access to carefully - both past and present. Look for interesting things. Then read current code carefully and look for something that can be exploited.