Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .
For the initial users yes i can give a good article which can help for the overall exploit .
But finding the real user was insane and beautiful : )
I struggled so much but when i found it was super proud of me . Was so so cool …
Now onto root …Lets see if i will struggle again most probably yes : )
May I ask someone a couple of questions regarding this box?
I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn’t lead anywhere, but that could be my lack of knowledge about these systems.
So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I’ve tried tweaking the tamper script but still failing hard.
I may need to give up on this and find the reading material @MariaB hinted at.
I don’t need hints yet, just ranting more than anything else
So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I’ve tried tweaking the tamper script but still failing hard.
I may need to give up on this and find the reading material @MariaB hinted at.
I don’t need hints yet, just ranting more than anything else
I doubt that the typical automation tools will get you there (even with according tamper scripts). I’d rather recommend writing a small script to exploit it. And then search for/find said reading material
May I ask someone a couple of questions regarding this box?
I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn’t lead anywhere, but that could be my lack of knowledge about these systems.
I’m in the same boat… I think I see that path to root this box, but must be missing a piece to this puzzle.
Rooted. User part was difficult than root part. But root part was long
Hints:
Foothold: Abuse pi functionality with well-known OWASP attack and bypass WAF
User1: Enumerate with what you have in order to get what you need
User2: look who you are and which processes are running
User3: Reverse it
User4: Standard AD Attack with imp****
Root: Standard windows privilege escalation
Rooted. User part was difficult than root part. But root part was long
Hints:
Foothold: Abuse pi functionality with well-known OWASP attack and bypass WAF
User1: Enumerate with what you have in order to get what you need
User2: look who you are and which processes are running
User3: Reverse it
User4: Standard AD Attack with imp****
Root: Standard windows privilege escalation
Finally got User. Had to go do a bunch of other boxes and come back a month later but I’m glad I did. This is easily the hardest user flag I’ve done so far