Multimaster

So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I’ve tried tweaking the tamper script but still failing hard.

I may need to give up on this and find the reading material @MariaB hinted at.

I don’t need hints yet, just ranting more than anything else :smile:

@TazWake said:

So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I’ve tried tweaking the tamper script but still failing hard.

I may need to give up on this and find the reading material @MariaB hinted at.

I don’t need hints yet, just ranting more than anything else :smile:

I doubt that the typical automation tools will get you there (even with according tamper scripts). I’d rather recommend writing a small script to exploit it. And then search for/find said reading material :wink:

Type your comment> @SgtSIGSEGV said:

May I ask someone a couple of questions regarding this box?

I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn’t lead anywhere, but that could be my lack of knowledge about these systems.

I’m in the same boat… I think I see that path to root this box, but must be missing a piece to this puzzle.

for root: order french fries and use the bar code, it works!

Finally got user - only because of some nudges from @MariaB and @metuldann !

This is an insane box.

removed

Rooted. User part was difficult than root part. But root part was long

Hints:
Foothold: Abuse pi functionality with well-known OWASP attack and bypass WAF
User1: Enumerate with what you have in order to get what you need
User2: look who you are and which processes are running
User3: Reverse it
User4: Standard AD Attack with imp
****
Root: Standard windows privilege escalation

Type your comment> @gurbanli said:

Rooted. User part was difficult than root part. But root part was long

Hints:
Foothold: Abuse pi functionality with well-known OWASP attack and bypass WAF
User1: Enumerate with what you have in order to get what you need
User2: look who you are and which processes are running
User3: Reverse it
User4: Standard AD Attack with imp
****
Root: Standard windows privilege escalation

Oh god… Im so stupid, I had user3 all along.

Well, what a machine. Full 2 days for User!!!. @TazWake thank you for timely and accurate nudge there. Cant imagine how hard would root go…

@nav1n said:

Well, what a machine. Full 2 days for User!!!. @TazWake thank you for timely and accurate nudge there. Cant imagine how hard would root go…

It’s a genuine pleasure to have been able to help you - I’ve learned a lot from your posts.

In the end, I decided I needed a break before root :smile: I ran out of steam completely!

User flag was fun. Finding the right comb took some time tho.

I’m now stuck, I think I know where I need to go, D**********, but I don’t know how to get there. I could use a nudge, I suck at Windows. :frowning:

rooted, very good to learn active directory, powershell and a bit of python

Got root. I really need to work on my scripting.

Thanks to @peek for the nudge!

Type your comment

Finally Rooted.

It is an INSANE machine. You will need to jump many hoops before you can even think of getting either of the USER or ROOT.

Patience is the key with this box. You’ll be able to enumerate without much issues but boy oh boy you need a ■■■■-ton of patience.

Hit me up if you need help.

DISCORD: jtnydv#5773

Can someone please DM me some hints/articles to read how to bypass the WAF.

Finally got User. Had to go do a bunch of other boxes and come back a month later but I’m glad I did. This is easily the hardest user flag I’ve done so far

Got user. What a journey. Many thanks to @velocicat and @lesleybw for helpful articles.
Root now.

Edit: Rooted. That was awesome box. Many thanks to @MinatoTW and @egre55 for such a enjoyable and painful journey. I learnt a lot. Thanks @zeeshansahi for the nudges.

Hi
got 4 hashes but stuck at cracking them. Any hint on them?

Spoiler Removed