PlayerTwo

finally, get user. Initial foothold is very frustrating.

Type your comment> @verdienansein said:

Got shell.
Trying to find a way for o******r user but can’t find much useful…

Play with the interesting service inside the machine. Its simpler rather than find the foothold.

Very reminiscent of the good old days where you have to hex-edit games for whatever reasons :smiley:

I got the p****/ge*******.p**** file, am i in the right direction? cuz the curl doesnt work…

Type your comment> @SniperXD said:

I got the p****/ge*******.p**** file, am i in the right direction? cuz the curl doesnt work…

that’s a useful file to have :slight_smile:

Type your comment> @SniperXD said:

I got the p****/ge*******.p**** file, am i in the right direction? cuz the curl doesnt work…

it does, try harder

i got it guys, it was a bug… now im stuck with the 2fa

Type your comment> @limbernie said:

Very reminiscent of the good old days where you have to hex-edit games for whatever reasons :smiley:

You mean like with Zork, right?
#rip
#NeverForget
#BecauseReasons

Rooted! The pwn in the end is amazing! Really enjoyed this box… one of my personal favorites on HTB so far!

Finally got the user!
That was a very long journey.
On root now.

2FA is pretty obscure now… I will assume that since there is no limit, it is possible to run a brute-force… although it has a time frame

@vrls said:
2FA is pretty obscure now… I will assume that since there is no limit, it is possible to run a brute-force… although it has a time frame

Dont bruteforce the 2fa.

Type your comment> @menessim said:

@vrls said:
2FA is pretty obscure now… I will assume that since there is no limit, it is possible to run a brute-force… although it has a time frame

Dont bruteforce the 2fa.

If the 2FA mechanism is properly implemented it wouldn’t be possible, however, im getting a “constant” page on 2FA which made me believe the validity of tokens wasnt properly configured.

EDIT: nvm I just reached /a**/***p right now, not sure if this is the correct approach tho

So with the missing missing parameter error, is there a smarter way to figure out the parameter other than brute force? I’ve made a wordlist of everything I can think of relating to t**p and fuzzed it with several parameters at the same time, but I haven’t got anything.

Edit: got it! Thanks for the help everyone.

Type your comment> @SniperXD said:

I got the p****/ge*******.p**** file, am i in the right direction? cuz the curl doesnt work…

curl works but it is also possible to reach without curl.

I love the documentation man! It’s so plausible.

Type your comment> @vrls said:

Type your comment> @menessim said:

@vrls said:
2FA is pretty obscure now… I will assume that since there is no limit, it is possible to run a brute-force… although it has a time frame

Dont bruteforce the 2fa.

If the 2FA mechanism is properly implemented it wouldn’t be possible, however, im getting a “constant” page on 2FA which made me believe the validity of tokens wasnt properly configured.

EDIT: nvm I just reached /a**/***p right now, not sure if this is the correct approach tho

reached the same location too, but stuck with getting ‘invalid action’ or server errors… is this a rabbit hole?

EDIT: 'doh! finding the missing param was so obvious that I ignored trying it early on. Goes to show that you should enumerate all possibilities and not assume anything (;

@limbernie said:
I love the documentation man! It’s so plausible.

I hate documentation though :stuck_out_tongue:

Type your comment> @hackerB31 said:

Type your comment> @vrls said:

Type your comment> @menessim said:

@vrls said:
2FA is pretty obscure now… I will assume that since there is no limit, it is possible to run a brute-force… although it has a time frame

Dont bruteforce the 2fa.

If the 2FA mechanism is properly implemented it wouldn’t be possible, however, im getting a “constant” page on 2FA which made me believe the validity of tokens wasnt properly configured.

EDIT: nvm I just reached /a**/***p right now, not sure if this is the correct approach tho

reached the same location too, but stuck with getting ‘invalid action’ or server errors… is this a rabbit hole?

EDIT: 'doh! finding the missing param was so obvious that I ignored trying it early on. Goes to show that you should enumerate all possibilities and not assume anything (;

Yup! Helps to ask it for what you need.

got user!
don’t bruteforce t*** a** params, but ask for what you need.

thanks for the nudge @dontknow