Book

oh my, a*** login. SQL Injection is not my strongest point. hope its not a rabbit hole

If you have a Garden and a Library, you have everything you needed.
Hint???

As usual there’s no need of guessing and bruteforcing. Have fun :wink:

highest port is slow as ■■■■. im working on the uad from c**tions.php and the b****s.php, but is lagging hard

Is it normal for new boxes to be lagging so hard right after release, or is it specific to this one?

Boy this machine is stupidly slow! o.0

is this an unusually hard box or are the usual first blooders away on a holiday retreat? i’d like to think of @sampriti or @snowscan parasailing at an exotic destination drinking tropical cocktails with fancy umbrellas in them.

I couldnt see anything obvious yet but the pdfs and jpgs are the only thing i noticed unless they are a rabbit hole.

It has to be something related to f upload and f****k.php…

found an admin page, cant do ■■■■ with it lol

I’m planning to start this tomorrow, but the fact that there are no bloods worries me :smiley:

I think I found something that might be vulnerable but still working on exploiting it, surprised theres no bloods taken yet ?

Just followed another rabbit hole, just to find out the vuln is long closed. :neutral:

Have there ever been boxes where XSS was the foothold? I was able to get an XSS trigger to send me a cookie, but it seems the admin user doesn’t interact with the feedback so I can’t get their cookie…

Still no first blood. Has anybody managed to get a foothold yet?

Type your comment> @Thane121 said:

Have there ever been boxes where XSS was the foothold? I was able to get an XSS trigger to send me a cookie, but it seems the admin user doesn’t interact with the feedback so I can’t get their cookie…

This is a really good question. No box with xss to my knowledge.

Type your comment> @init5 said:

found an admin page, cant do ■■■■ with it lol

You can try to BF it :slight_smile:

There was one actually

Type your comment> @Thane121 said:

Have there ever been boxes where XSS was the foothold? I was able to get an XSS trigger to send me a cookie, but it seems the admin user doesn’t interact with the feedback so I can’t get their cookie…

Yes there has. One of them is still active

@bertalting said:
Type your comment> @init5 said:

found an admin page, cant do ■■■■ with it lol

You can try to BF it :slight_smile:

Normally I would, but @MrR3boot said there is no need to, I am taking his word for granted
for now ?