Multimaster

Finally got user! On to root…Great box so far! Thanks to everyone for the nudges and the hints on the forum.

This has been a very hard box for me. Feeling pretty hard-stuck as I finally got nudges to get me close to finding certain types of accounts, but the responses I’m getting back are not being encoded/decoded cleanly. Not sure how to handle.

Type your comment> @MariaB said:

No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )

indeed, I was struggling on this part as well, but very worthed it :smiley:

Type your comment> @MariaB said:

I just got user .

Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .

For the initial users yes i can give a good article which can help for the overall exploit .
But finding the real user was insane and beautiful : )
I struggled so much but when i found it was super proud of me . Was so so cool …

Now onto root …Lets see if i will struggle again :smiley: most probably yes : )

BIG THANKS @egre55 and @MinatoTW for this amazing box .

Could I request this reading material please? :slight_smile:

May I ask someone a couple of questions regarding this box?

I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn’t lead anywhere, but that could be my lack of knowledge about these systems.

@metuldann said:

Could I request this reading material please? :slight_smile:

Same… :smile:

So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I’ve tried tweaking the tamper script but still failing hard.

I may need to give up on this and find the reading material @MariaB hinted at.

I don’t need hints yet, just ranting more than anything else :smile:

@TazWake said:

So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I’ve tried tweaking the tamper script but still failing hard.

I may need to give up on this and find the reading material @MariaB hinted at.

I don’t need hints yet, just ranting more than anything else :smile:

I doubt that the typical automation tools will get you there (even with according tamper scripts). I’d rather recommend writing a small script to exploit it. And then search for/find said reading material :wink:

Type your comment> @SgtSIGSEGV said:

May I ask someone a couple of questions regarding this box?

I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn’t lead anywhere, but that could be my lack of knowledge about these systems.

I’m in the same boat… I think I see that path to root this box, but must be missing a piece to this puzzle.

for root: order french fries and use the bar code, it works!

Finally got user - only because of some nudges from @MariaB and @metuldann !

This is an insane box.

removed

Rooted. User part was difficult than root part. But root part was long

Hints:
Foothold: Abuse pi functionality with well-known OWASP attack and bypass WAF
User1: Enumerate with what you have in order to get what you need
User2: look who you are and which processes are running
User3: Reverse it
User4: Standard AD Attack with imp
****
Root: Standard windows privilege escalation

Type your comment> @gurbanli said:

Rooted. User part was difficult than root part. But root part was long

Hints:
Foothold: Abuse pi functionality with well-known OWASP attack and bypass WAF
User1: Enumerate with what you have in order to get what you need
User2: look who you are and which processes are running
User3: Reverse it
User4: Standard AD Attack with imp
****
Root: Standard windows privilege escalation

Oh god… Im so stupid, I had user3 all along.

Well, what a machine. Full 2 days for User!!!. @TazWake thank you for timely and accurate nudge there. Cant imagine how hard would root go…

@nav1n said:

Well, what a machine. Full 2 days for User!!!. @TazWake thank you for timely and accurate nudge there. Cant imagine how hard would root go…

It’s a genuine pleasure to have been able to help you - I’ve learned a lot from your posts.

In the end, I decided I needed a break before root :smile: I ran out of steam completely!

User flag was fun. Finding the right comb took some time tho.

I’m now stuck, I think I know where I need to go, D**********, but I don’t know how to get there. I could use a nudge, I suck at Windows. :frowning:

rooted, very good to learn active directory, powershell and a bit of python

Got root. I really need to work on my scripting.

Thanks to @peek for the nudge!

Type your comment