Oouch

Most fun box I’ve completed from start to finish. Root is an amazing journey. +1 to qtc.

Finally owned after about 24 hours of solid work. Absolutely incredible at every step, challenged a lot but never too far. Looking forward to the next one. (How long before we can guess all the passwords on your boxes?)

Got pretty much all the information I need, now figuring out how to use that info is the tricky part…

Hi guys, I’ve found the stuff running on port 5*** as well as 8***. In there I created one account for each and linked them… Ive watched the urls, removed c*** t****** in different places and so on and so fourth, I can’t seem to get ANYWHERE haha.
I found auth for /ap********/ and noticed the difference from /ap********/re*******
(as in they target two different users)

A little good ol’ nudge would be wonderfull :slight_smile:

Type your comment> @zaBogdan said:

This was a ■■■■ of a ride. Even though i didn’t get the root yet, I will try to give you some hints. ( only for the user part ).

  • Try a bunch of wordlists. The default ones might not reveal the whole truth.
  • Any in particular you recommend? will big.txt be enough?

    Super fun so far, I love boxes like this!

    Got the o–th login working, played with the c— tok—, but havent gotten any real juice yet. Im down to compare notes with anyone that is stuck.

    any hint for low level shell as i was able to create user account and access the web pages on 5***. but not getting any usefull info from it. any help would be appretiated

    need help please . i create compte in port 5*** and decode session and change user to 1 and encode them and replace old session with new but nothing !?? any hint please . how encode them by key or … thank

    Rooted! :smiley: The user part stretched my limits on modern web apps and authentication schemes. The root part was pretty straight forward, but still pretty fun.

    Nice box @qtc. You can always tell how much time and effort you put into these. It is appreciated.

    Rooted. Thanks again for the great box @qtc

    hostname
    oouch
    id
    uid=0(root) gid=0(root) groups=0(root)
    

    What a ride! Thank you for the nudges along the way. Probably the most educational box for me so far.

    Any nudges on how to use the Contact form? I don’t know how to write the message to connect it to my profile

    hi, do I need brutforcer flask?

    Just got user. Respect to @zaBogdan for the help. Initial enum is really important.
    For root, I do understand what should be exploited.
    Seems like another user is needed to send meaningful messages.
    Should I found an RE on the wb s****r?
    Thanks for any nudge!

    Type your comment> @cotonne said:

    Just got user. Respect to @zaBogdan for the help. Initial enum is really important.
    For root, I do understand what should be exploited.
    Seems like another user is needed to send meaningful messages.
    Should I found an RE on the wb s****r?
    Thanks for any nudge!

    Oh! I missed something obvious… ><

    Rooted.

    In my opinion this box could be considered insane. Thank you @qtc your skills are really impressive.

    User hint: Enumeration and understanding the logic behind the applications. Anyway, my real hint is to study everything you’ll find (if you haven’t seen it already) to get to the solution.

    Root hint: Enumeration. In my opinion it’s an insane machine, and you have to try hard. Look at what’s going on in the processes, understand how the applications communicate, and find a way to execute commands from one side to the other. Use google even this time.

    Anyone want to help me move forward on this? I have the the thing, but all it seems to do is disconnect my other guy? any tips??

    Type your comment> @Chr0x6eOs said:

    I see a possible vuln, but the WAF does not seem to like my attempts at all…

    Got a response… Now trying to get something useful…

    I only got response once. After that nothing. So my plan to connecting to another account still stuck.

    This behavior is worse than bank robber machine.

    Any hint for this?

    Spoiler Removed

    Type your comment> @bertalting said:

    any one following the hackerone article ?

    which one?