ForwardSlash

So, I’ve managed to… find a interesting place I can register.
Not sure if someone made a fake account under one of the two users but I got that.
Though, couldn’t find the next step from there. the d** gives 403… I have a idea of what I need to do but not exactly sure how to apply it.

Small nudge forward would be appreciated.

Thanks,
~Monk3y

*** EDIT ***

Never mind peeps… I got into the hen house :expressionless:

Type your comment> @PrivacyMonk3y said:

So, I’ve managed to… find a interesting place I can register.
Not sure if someone made a fake account under one of the two users but I got that.
Though, couldn’t find the next step from there. the d** gives 403… I have a idea of what I need to do but not exactly sure how to apply it.

Small nudge forward would be appreciated.

Thanks,
~Monk3y

PM me if you still need a nudge

@zaphoxx said:

I am stuck at a point at user where i can read files but not all of the .php ; so far nothing i could read gave me some new information to proceed; plz pm for any nudges ; thx

There might be a filter you can use with PHP that bypasses this with a commonly used encoding format.

Finally got initial access — how Painful!!! Annoying all that work and still no user.txt ? pushing onward!

Type your comment> @applepyguy said:

Finally got initial access — how Painful!!! Annoying all that work and still no user.txt ? pushing onward!

We’re at the same place. I’ve enummed the ■■■■ out of the box.
Got a few more creds but can’t use them yet.

:stuck_out_tongue: best of luck, calling it a night at 7:30 am :lol: :lol: :lol: :lol:

Type your comment> @edspiner said:

just a tip for web-focused testers - there is another way to get the creds, it’s related to how the backend handles some specific URLs. No need to “point the gun at yourself”.
all can be found in PayloadAllTheThings … or OWASP

Thanks for the pointer to PayloadAllTheThings, I always forget how useful this is … . Wasn’t able to construct a working exploit, but with PayloadAllTheThings it was quite easy.

Hi,I stuck at initial just got .txt file,Any help would be appreciated,PM me please,

EDITED:found it

Man, crazy box so far.
Just got user hash lol that was a journey.

Looking forward to trying to figure out this… other part.
Think I know what the bf method is targetting, but I take it that’s not intended way?

Thanks to the creators! Enjoyed this one :smiley:

I got stuck for a while on User part. Turns out it’s quite simple if you read the output, think for a bit of Time and then you’ll give it what it wants.

I’ll try to do Root in a fancier manner, since mine was a bit brute.
PM if needed

Those who bypassed c****o with BF and never understood what happened can pm me. Thats the awesome part of this machine

Type your comment> @zaphoxx said:

I am stuck at a point at user where i can read files but not all of the .php ; so far nothing i could read gave me some new information to proceed; plz pm for any nudges ; thx

same here… can’t find b****p folder… any nudegs… please pm …
thanks

@shack said:

Type your comment> @zaphoxx said:

I am stuck at a point at user where i can read files but not all of the .php ; so far nothing i could read gave me some new information to proceed; plz pm for any nudges ; thx

same here… can’t find b****p folder… any nudegs… please pm …
thanks

Have a think about where these files would be stored in a normal Linux filesystem then with a bit of trial and error you will get the folder name.

Start by working out which folder contains files to which the Linux system writes data during the course of its operation.

Then it normally has a folder which serves as a home for things posted on port 80.

Got user! On to root now, and this c****o is killing me… thought i found a flaw, but can’t figure it out.

@shack, if you are searching for a specific word, it might not be just a file or folder on 80… what else could it be?

the c****o is driving me crazy. I see that it is kind of broken but after an initial step without the k** I get stuck. any nudges or helpful links would be appreciated. thx.

Just finished and wanted to say thanks to the creators @infosecJack and @chivato!

Probably the most fun HTB I’ve done, I’ve learnt a lot from doing this box (even/especially the bits that ended up being rabbit holes). And thanks to @EvilT0r13 for pointing out a technique I’d completely overlooked.

Thanks for a super fun box to help with quarantine :))

@zaphoxx said:

the c****o is driving me crazy. I see that it is kind of broken but after an initial step without the k** I get stuck. any nudges or helpful links would be appreciated. thx.

You can write a bit of pythonic code to append to the python file which brute forces this fairly quickly.

rooted - what a crazy ride. This was a great machine; enjoyed the crypto part a lot but also user was fantastic. good work. thanks to @HomeSen and @EvilT0r13 for the hints/nudge.


@TazWake said:
@zaphoxx said:

the c****o is driving me crazy. I see that it is kind of broken but after an initial step without the k** I get stuck. any nudges or helpful links would be appreciated. thx.

You can write a bit of pythonic code to append to the python file which brute forces this fairly quickly.

I figured out (with some help from @HomeSen) a less brute force way to crack the msg. thx for the nudge/hint anyways, much appreciated.

Rooted! what a great ride… thanks for the challenge and the learning opportunities!

PM for nudges.

This is a very difficult machine, I tried to use dirbuster to find extension xml and php, I cannot find any xml… and there is only one index.php… the directories I can find are /icons/, /icons/README and /icons/small/, hope someone can give me a nudge?

rooted … need hints ? Msg me on discord icoNic#0097

Arrexel