Book

Type your comment> @mA1nfrAm3r said:

Hi, I need a hint for user. I’ve managed to login with name ‘a****’ and mail 'a****@.‘’ at the page at port 8 by following the things in the forum (TR-Function), but when I view my profile on the page, it still says that my role is user.

Did I miss something?

Nudges are welcome!!

PM or Discord (mA1nfrAm3r#8064)

Enumerate folders on webserver or if you already found it, then don’t forget there are two pages :wink:

I was /facepalming myself on this stuff after I was corrected by @TazWake :wink:

@snownoob Okay, so the webpage for the a****-user looks the same as a normal user, only the functionality is different? Was just confused by the role when I view the profile…

Thx!

Edit: Got it, wow, now I get why people said that is was unstable… feels like the 100th time that I tried go get into /a***** and now it’s working… :wink:

Thanks @snownoob

Type your comment> @mA1nfrAm3r said:

@snownoob Okay, so the webpage for the a****-user looks the same as a normal user, only the functionality is different? Was just confused by the role when I view the profile…

Thx!

Edit: Got it, wow, now I get why people said that is was unstable… feels like the 100th time that I tried go get into /a***** and now it’s working… :wink:

Thanks @snownoob

well, I know how it feels :wink:

@zelensky said:

It looks like I need some hints for user here. I’ve got access to the admin panel and see the connection between that and an u****d function in the user panel.

I’ve read a few writeups on exploiting this and got the box to “call back” to me. However, I have little success in getting it to reveal more, even after trying variations of that technique. Nudges are definitely welcome!

Dont focus on getting a reverse shell to work via what is essentially an information leakage vulnerability. Leak the information. Much more effective.

Lots of frustration, as well as lots of fun and learning. Thanks @MrR3boot! Took me a good while to get root, as I thought I was doing the right thing but kept losing. Not sure if I eventually got lucky or my other efforts to tip the scales in my favor paid off.

is there any error in the key? cuz i got invalid format!

Finally rooted, great respect for @MariaB and @snownoob, without their help was impossible for me to solve the box, thanks also to my friend @steps0x29a for his hints and support.

There is a lot to learn in this box, it is not easy and immediate, thanks to @MrR3boot to show me a kind of attach using X… in the P… document that I never fece before.
Only one remark, unfortunately the document reader tool in the first part could affect a lot of players, me too, i spent two days in this part.

Type your comment> @c4ph00k said:

Finally rooted, great respect for @MariaB and @snownoob, without their help was impossible for me to solve the box, thanks also to my friend @steps0x29a for his hints and support.

There is a lot to learn in this box, it is not easy and immediate, thanks to @MrR3boot to show me a kind of attach using X… in the P… document that I never fece before.
Only one remark, unfortunately the document reader tool in the first part could affect a lot of players, me too, i spent two days in this part.

I am stuck on this part, the payload work on my machine as good but couldn’t view it in PDF

@khanafeer said:

I am stuck on this part, the payload work on my machine as good but couldn’t view it in PDF

This, largely, depends on how you view the PDF. There are many ways round it other than using the default viewer built into Kali. While this frustrated me for a long time, like most other people, I don’t think that box creators should make it “extra easy” to get data via information leakage.

Type your comment> @TazWake said:

@khanafeer said:

(Quote)
This, largely, depends on how you view the PDF. There are many ways round it other than using the default viewer built into Kali. While this frustrated me for a long time, like most other people, I don’t think that box creators should make it “extra easy” to get data via information leakage.

Same situation here. I am not using the default kali PDF viewer, but I still see no information there. It seemed to respond to “height” and “width” though.

@zelensky said:

Same situation here. I am not using the default kali PDF viewer, but I still see no information there. It seemed to respond to “height” and “width” though.

Then something you are doing isn’t working. Start small, with data you know has to exist on the system. If you can’t get it to show you that, the attack needs to be changed.

Any root hint stuck here:(

Type your comment> @0xstain said:

Any root hint stuck here:(
Look at running services, look at files (in your directory) that are a bit out of place, connect the dots.

I totally have no clue how let the site expose additional data, maybe someone is willing to TEACH me? Or tell me what to read first?
Please PM!

Type your comment> @karl99 said:

I totally have no clue how let the site expose additional data, maybe someone is willing to TEACH me? Or tell me what to read first?
Please PM!
Have you got admin? if so, there is a functionality within the webapp that allows some sort of “interaction” between the user and admin. When the Admin performs his action, certain things are loaded dynamically then and there.

Hey everyone, this box has been a good learning experience. I could use a little help with getting root. I’m pretty confident I have figured out what needs exploited, but I can’t figure out how to trigger it. I’ve been at this for a few nights now, but I’m pretty much just stuck at this point. If anyone is willing to nudge me a bit, please post here or PM me. Much appreciated!

@dskeet said:

Hey everyone, this box has been a good learning experience. I could use a little help with getting root. I’m pretty confident I have figured out what needs exploited, but I can’t figure out how to trigger it. I’ve been at this for a few nights now, but I’m pretty much just stuck at this point. If anyone is willing to nudge me a bit, please post here or PM me. Much appreciated!

Set up the delivery file, run the exploit, modify the target file.

Type your comment> @TazWake said:

@dskeet said:

Hey everyone, this box has been a good learning experience. I could use a little help with getting root. I’m pretty confident I have figured out what needs exploited, but I can’t figure out how to trigger it. I’ve been at this for a few nights now, but I’m pretty much just stuck at this point. If anyone is willing to nudge me a bit, please post here or PM me. Much appreciated!

Set up the delivery file, run the exploit, modify the target file.

Thanks. I’m an idiot. Much simpler thank I was making it.

Managed to get private key for user r***** but…

Load key “id_rsa”: invalid format
r*****@b***.***'s password:

This is sooo frustrating. What am I doing wrong?

Type your comment> @awarkozak said:

Managed to get private key for user r***** but…

Load key “id_rsa”: invalid format
r*****@b***.***'s password:

This is sooo frustrating. What am I doing wrong?

The text of the key is too big to fit on the file you are rendering it too. So when you copy and paste you aren’t getting all of the characters. Change things up to make the keys text fit where you are rendering it.