STOP CHANGING THE PASSWORDS FOR THE USERS ON THIS BOX!
I wasted two hours trying to figure out why I couldn’t su to a particular user with the creds I already found. Why? Because some self-absorbed jackass had changed the password and then left it that way after rooting the box.
People that do this need to be lead to the gallows.
Thanks for this! I also wasted way too much time looking for a privesc because i assumed this wasn’t the route. This comment saved me many more hours of frustration.
After trying a lot of different things and reading 22 pages of terrible and misleading advises i still don’t know how to get to login page. I’m a terrible skid and a shame to this community. Someone put me out of my misery.
Current key is only applicable for *.codepen.io.
Read more info about this error
You are trying to use the following key: Z7U7-XHIF9V-4A5Q3S-343X5O-0P5G1R-5G2G25-6S5F2Q-0Q0F5Z-37
I’m newbie in pentesting world and i’m totally stucked on the login page even after reading the whole topic. I have an idea about the “Mango” word game but I didn’t succeed doing some injection. Can someone confirm me that I have the good idea in PM or give me a nudge in order to progress ?
i ahve got user.txt now for root what should i do bro…
go get a good drink… relax… enjoy live… do something good for mankind… and think about the meaning of life / the universe / and everything…
but: just dont ask… (bro)
the login page is static with me, whenever I login no matter the credentials it gives me the same response as when the normal page loads, Is that normal ?
I finally rooted the box and i learnt a lot of things. But I have a technical question, I didn’t succeed to spawn a shell using the one liners foundable on internet. I could only execute commands but not an interactive shell. Would someone explain me why the spawn shell thing is not working ?
That was a great box!
User was quite harder than root honestly. But learned a lot and got to taste the juiciest mangoes.
Obligatory hints:
User:
Never ignore any error.
Most of the time the machine’s name have relation with the attack vector.
Bruteforcing is a pain in the ■■■, not just for you, but more for others. Write a script instead
ROOTED SUCCESSFULLY !
I’ve learned a lot from this box and had good experience
a lot of thanks to @MrR3boot for this awesome box and @traut for helping me
Got User & Root Flag. What a nice machine, getting the user was the most interesting part. There were many rabbit holes but still made my way through. Thumbs up
This is my first medium level box. Is the le k*y error on a***.**p page normal? I read back in a few pages of the discussion and looks like some people were able to load up data but I just see the error. I am leaning towards a rabbit hole but figured i would check first. Thx.
Fun machine, to be honest there were things I did not expect and made me feel like: ‘wtf’…
As a hint for all the people not knowing where to look for Mangos… If you’ve found the Login page, think about how Login normally works, think about where the username and password are checked, data persistence bla bla bla… this should be enough to get your Mango going. This is for user.
For root flag, start snooping around the system, see what you find and might be helpful, #gtfobins.