Bankrobber

Type your comment> @l4rm4nd said:

I’m stuck with the initial foothold. I’ve already exploited the client side and received some delicious snack. From here, I gained a more privileged access to some functions.

I successfully exploited the first function with a common tool and by hand, using commands like INTO OUTFILE and load_file(). With this I was able to identify the webroot directory + source code of all its files and thought of uploading a webshell. However, it seems that we lack specific permissions to access and execute our created files in the webroot.

Now I am back at client side and the 2nd function. I already know how to bypass the “limitations” of cmd. I’ve also tried some typical HTTP headers to bypass the ::1 limitation. Nothing works, so I guess I cannot skip the client side exploitation here. Since I already got the source code of Bdc*****r, I tested my client exploit locally - which works. Sending it to the victim however fails, it never connects back.

Need help.

Think about how the first exploit has worked. The important question word is Where.

Type your comment

can anyone give me a nudge on the initial foothold? totally stuck here -_-

I’ve been at this for a few hours and the concept is great (it’s been quite fun) but one of the vulnerabilities (the simulated bit) is very flakey - I get these things are hard to implement but man it is frustrating the f**k out of me! :-/

having issues with root on this one. Pretty sure I’ve found the right path but I think I tried all the possibilities and nothing =/ guess its #tryharder

Wow silly mistake made the privesc much more frustrating than it needed to be! thanks @Kucharskov for the nudge that got me back on. Pretty simple after I fixed my code lol.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
getComputer        : BANKROBBER

On the initial foothold, I know I should be tampering with the sesame thing and the transfer form, but im not getting any result. Some hint at pm would be appreciated.

rooted it. First vuln is really brainfucker, something that I wouldnt have figured it was implemented this way. After this the machine is not that hard.

Idk how people aren’t more upset about this box. The process of getting a shell is completely unreliable. Got a shell after repeating the same thing several times and it just finally worked. Then my shell crashed after about 3 minutes. Going back to get a shell again, doesn’t work. even after several retries and waiting more than 10 minutes. It’s just poorly implemented

Totally stuck on initial foothold. I used dirbuster, found some juicy js-files, but they require user access. I did create a user and used burp proxy with coin transfer and user creation/login to fuzz with the parameters, but have no idea how to enumerate for the user credentials. Could only check other users coin balance with cookie editing. Any help/hint/nudge is much appreciated as this is really frustrating!

Though the instability / unpredictability can prove to be quite a hurdle this is a very fun and satisfying box in the end. The extra points for it being rated ‘insane’ are definitely a bonus ?

PM is open for nudges!

I am struggling to work out how to approach this. I have done lots of enumeration but not sure if the potential HTTP method that shouldn’t be available is something that I have to use to get a username or something that you eat.

Wow! Now that was fun. Tu for a very challenging box @Gioo & @Cneeliz. Cheers to @chvancooten for the couple of nudges to get me focused and back on track.

Ok. The idea was awsome! Sadly it was quite buggy.

If you are confident that your payload should work, try it again several times.

Loved this box and very recommended for every OSCP student. The idea that it’s like breaking into a bank is awesome

I’m having a rough time putting all the pieces together to gain initial foothold. Found vulnerabilities in a few different places where I can read files. Found another that lets me “execute” files when something happens. Not sure how to go about using what I have to do anything with b***********.**p and none of my usual tricks on these vulns want to work due to what I believe to be no write permissions.

Any nudge here or in private is appreciated.

And, rooted. Public appreciation once more to @bumika and @g3of0xx for guiding me through this.

so… because this box are not running as expect i will let then and start to another box, tried to create a user with random usernames and passwords and its not possible, reset already on luck… hope the creators taken a look on it.

Starting this machine. Let’s start

Hi,
I explored this machine for a while (Last two days). I checked several things starting, as usual, what is open and what is close. For each open I discard, for the moment, most of the “opens” and I dig a lot with one of them. Basically playing with money and figure out how to leverage this. So, if anyone could give some nudges I will appreciate. I am still a noob and my immagination is still place me in hole rabbits. I just need an idea to explore. Unfortunately I can explain my findings here to avoid an spoiler. Thanks guys.

Finally root! I had a lot of fun and learned a lot, thanks @Gioo & @Cneeliz!