Rooted as well, if there is one hint that worth giving on this box i’ll share it from one post above from @dr0ptpkt .
“Do your initial research. This box is meant to get us outside our comfort zone and force us to learn about stuff that we would never otherwise learn naturally.”
Can someone please give me a nudge on c*****t page? I’m pasting what I’m supposed to in there, and I’m pretty sure the ‘click’ is happening because if I paste my local dev server url, I get a request.
But then when I proceed to the next step, it’s just my accounts that are linked…
Hey guys, I’d appreciate a little nudge. I have access to the admin page and found a way to r******* my app. I can now access some additional resources and have a pretty good idea what to do with them, but I can’t figure out the mechanics. Please PM me if you’re willing to help. I can provide details on what I’ve tried so far. Thanks
User was good. Had trouble getting the token using repeater, had to use curl instead. Getting root drove me insane. I need work on enumerating and Priv Esc. Great machine.
root@oouch:/root# id
id
uid=0(root) gid=0(root) groups=0(root)
Thanks for the wonderful machine @qtc
What a machine? A wonderful journey upto root.
For User: Documentations are your friends.
For Lateral Movement: It is possible that a whale and a spider can be friends.
For Root: The one you tried in lateral movement will work now.
I’m doing WAPTX and there’s some O**** in it, so i thought i’d give a go at that box. I’ve been trying to play around with the various requests and i think i know how to exploit it but it doesn’t work and i’d like some guidance to at least know whether i’m trying to do the right thing or just hitting a wall…
So, my last comment was from June2nd and i only rooted it lol…
I took a few breaks and did it in stages, and had to learn a lot on topics i didn’t know of, like the whale… even if eventually not much was needed.
Can’t wait to see the 8h walkthrough video for that one.
I’m a bit confused of how to set up the attack for initial access.
I know that there is a simulated user that “interacts” with what is passed into the c****** page. I can create a profile for myself on both the normal application and the hidden o**** application. Does the user do more than just click, is there a way I can trick it into performing a P*** request instead of just G**? Could someone DM me to nudge me in the right direction?
EDIT: Figured that part out…the normal flow must be “paused” and then finished by another
EDIT2: Finally have user…this box requires learning so much. Feel free to DM me for nudges up to that point