Registry

This was the most ■■■■■■■■ annoying box aha

Learnt the most from it though.
Cheers for the box.

Is anyone else having trouble with a config file while using r***-s***** to get to root ???

can you please give me hints on the initial foothold, i found the /inst*** and download it and extract what’s in it, but nothing useful for the creds???

thanks

User was fairly straight forward, time to figure out root

Type your comment> @Kwicster said:

Man i feel bad even asking, but if anyone has a hint for the webshell/reverse shell part, i could really use it. Have auth with the webapp, but can’t get around the file upload barriers
you are already admin of the webapp
whatever blocking you in the webapp, you will be able to change it

After about a week I have finally rooted this box!
First hard box from me, big thankyou to @3ken45 @J0hnD03 @noi for the nudges.

A few tips from me:
User: find out what the web service is, and read up on common ways to “exploit” it. There is so much info on the web - read walk-throughs and the manual online, and user is actually pretty straight forward. Do some enum to get a shell.

Root: root took me a solid 5-6 days. Look through the forum here and you’ll see that from user1, you’ll have to get to another user before you can get to root. The exploit you’ll find online for that particular version of b*** won’t work (if it did it wouldn’t be a hard rated box). You need to find another way to achieve the same as that exploit (although the exploit doesn’t work, it still has something to do with f*** u*****). Once you get user2, its just more enum and reading manuals. Don’t skim over the manuals like I did, take your time to understand how re**** works.

At a loss on user2; have user1 ssh, have cms control. Evidently not getting my head far enough “out of the box.” Any kind soul with a nudge?

edit: done; what a box!

stuck on root need help =(

Im stuck on the initial user, I could definitely use some help trying to go to the second user.

I’m now in the container place after some basic enumeration d*****.re******.h**/v*/ . It asks username and password to authenticate. Can anyone give me a nudge on it? Thanks in Advance.

I’ve come to a stopping point for access to w**-*a shell. I have access to C and as seen in the forum, the obvious fu vulns don’t work. I’ve tried with a java shell as this is a supported file type and still no joy. Any DM’s to get me from user1 to user2 would be appreciated.

I have shell access with user 1 also.

Root took me more then i expected. Thanks for this great box.

stuck getting initial shell… found the /i****** directory and extracted the c*** . Also found the d***** web app and the name of the repository in it b***-i**** having trouble using d***** p*** command due to the self signed cert

well this machine its really interesting.

enumeration was really easy, lucky me, in past days a was reading about vulnerabilities in d***** so, obtain access to shell was easy after found the first 3 files, user 2 ■■■, really good challenge, i used a backdoor through my first con, and finally root, Good Lord, after read the manual and view the command was not sure if DIY apply so I ask to other users but the answer not was really usefull.

well this is my hints.

Start → the challenge is make technology your friend, this is friendly if you ask.
User1 → The funny thing is with the enum you obtain this access just puth J*** to work.
User2 → Now i can see other ways, but in fact, for my i took the easy to backdooring my connection, think about it, if front is bloked so…

root → I like when challenge its really about how you can manipulate the instruccion, its easy, think in what do you need to make work this stuff…

as always, thanks to @backslasht for the machine, and thanks to everyone for the hints.

If this result in spoiler, please delete it.

guys iam stuck at inital steps
found a login page at /v2/ is that the way?

Enjoying the box so far… Got user and have access to b***/b*** in order to gain access to w**-****, any nudges would be appreciated. Thanks.

Hello,
I’m stuck. Can’t login with s** on the machine. I founded the private document with the password, impossible to use it for ssh.
Anybody have an hint ?
Thx !

Lots of hints already on here so I’m not gonna troll by reiterating whats already here. What I would say is that, after a few weeks of mulling it over, this is absolutely one of my favorite ever boxes. The entire thing, imo, was epic from start to finish. Happy to provide nudges on via DM / Discord (5ysk3y#6172) for those who are stuck.

Very cool box, being a borgbackup guy myself, it was fun to play with r***.
Another hint that cost me some time: There’s something in the way going outbound from the box, but you already have SSH. Always remember your options…

Stuck at b*** user, found b*** cms files and r***** cli app but got no clues on how to proceed. Can’t find a way to login into the cms, can’t upload a file, just the index.php page. Can someone give a nudge? Thanks!

Edit: Found a hash on b***.d*, cracked it, but don’t know where to input it…