Oouch

Type your comment> @Chr0x6eOs said:

Type your comment> @Sniper100 said:

I got some connetion back from /C*****t but , can’t turn it into an lfi. Any hints? Or is it a rabbit hole?

It is neither an lfi nor a rabbit hole… :wink:

I also can get connection in several different ways, however nothing works as it works locally …

Got a little bit furhter thanks to @tabacci
I now have creds and some other information, but don’t know where to use them yet…

Can somebody please give a hint for getting in the app as user admin?
Pretty sure it doesn’t require bruteforce

Got user. I did kind of enjoyed it so far, but insanely hard. :lol:

Kudos to @tabacci, who I worked with to get this far.

This was a ■■■■ of a ride. Even though i didn’t get the root yet, I will try to give you some hints. ( only for the user part ).

  • We all tried this first, but we got detected... I wonder if there are some workarounds
  • Try a bunch of wordlists. The default ones might not reveal the whole truth.
  • Why I can't code anything? Is this allowed? I don't think so. Nor on client side?
  • If nothing have changed it doesn't mean you are wrong. It just means you didn't understood the service and who belongs to who.
  • Once you are an admin, follow the list in the exact same order, from top to bottom
  • Sometimes, there is a pattern, or a duplicate. Enum, enum, enum
  • Creds are not useless. Enum & read carefully that list
  • This was way easier if I could do it on the first step
  • If you can get something why not try for other things to.

I hope there are no spoilers. Please tell me if I was to explicit. I am willing to edit the post.

Finally got some juicy new info from the admin’s page. Please tell me I don’t need to do this login again for the next steps :smiley:

Most fun box I’ve completed from start to finish. Root is an amazing journey. +1 to qtc.

Finally owned after about 24 hours of solid work. Absolutely incredible at every step, challenged a lot but never too far. Looking forward to the next one. (How long before we can guess all the passwords on your boxes?)

Got pretty much all the information I need, now figuring out how to use that info is the tricky part…

Hi guys, I’ve found the stuff running on port 5*** as well as 8***. In there I created one account for each and linked them… Ive watched the urls, removed c*** t****** in different places and so on and so fourth, I can’t seem to get ANYWHERE haha.
I found auth for /ap********/ and noticed the difference from /ap********/re*******
(as in they target two different users)

A little good ol’ nudge would be wonderfull :slight_smile:

Type your comment> @zaBogdan said:

This was a ■■■■ of a ride. Even though i didn’t get the root yet, I will try to give you some hints. ( only for the user part ).

  • Try a bunch of wordlists. The default ones might not reveal the whole truth.
  • Any in particular you recommend? will big.txt be enough?

    Super fun so far, I love boxes like this!

    Got the o–th login working, played with the c— tok—, but havent gotten any real juice yet. Im down to compare notes with anyone that is stuck.

    any hint for low level shell as i was able to create user account and access the web pages on 5***. but not getting any usefull info from it. any help would be appretiated

    need help please . i create compte in port 5*** and decode session and change user to 1 and encode them and replace old session with new but nothing !?? any hint please . how encode them by key or … thank

    Rooted! :smiley: The user part stretched my limits on modern web apps and authentication schemes. The root part was pretty straight forward, but still pretty fun.

    Nice box @qtc. You can always tell how much time and effort you put into these. It is appreciated.

    Rooted. Thanks again for the great box @qtc

    hostname
    oouch
    id
    uid=0(root) gid=0(root) groups=0(root)
    

    What a ride! Thank you for the nudges along the way. Probably the most educational box for me so far.

    Any nudges on how to use the Contact form? I don’t know how to write the message to connect it to my profile

    hi, do I need brutforcer flask?

    Just got user. Respect to @zaBogdan for the help. Initial enum is really important.
    For root, I do understand what should be exploited.
    Seems like another user is needed to send meaningful messages.
    Should I found an RE on the wb s****r?
    Thanks for any nudge!