Quick

@chonmayo said:

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

Sadly, I cant think of any way to say more without it getting removed as a spoiler.

All I can say is you probably need to try more combinations. The information is on the site.

Finally rooted. This was quite a ride for me, but I’m happy I stuck with it. Here are my hints:

Foothold: The latest tech will save you.

User 1: If you can’t do it in one step, do it in three steps.

User 2: Writing can be so much more fun than reading.

Root: Once you find it, just try it out! Do NOT overcomplicate this last step or you’ll find yourself in a world of pain.

PM for nuggets.

Whew, user finally pwned… so many new techniques and ways to try harder.

Awesome box so far! On to root…

edit: User2 pwned, awesome privesc method :slight_smile:

edit: rooted!

Finally got user flag ! The foothold was quite frustrating!
I’m trying to spawn the reverse shell but I’m stuck! A nudge would be very welcome :slight_smile:
Now I am trying to decrypt a hash, the password doesn’t seems in rock***.
Edit: Rooted PM me for nudges

Type your comment> @chonmayo said:

@TazWake said:
@user29 said:

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

It is a bit of “guess the email” but this is pretty much the crux of enumeration. There is enough information available on the various bits you have access to, so that you can “guess” the email you need.

However, it might be better to use the information to create a wordlist then try a password spray attack.

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

I had to try about 20k combinations before getting it, for what it’s worth

Would someone mind taking a look at my e-mail creating script and help point me to what I’m doing wrong?

EDIT: Got it, thanks to the nudge from @jhnhnck. On to user!

Anyone got any tips for root? I am just absolutely clueless as for what to do here, which is weird because according to everyone else this is the easiest part…

Okay my tip is KISS

I don’t know why but yesterday I could get the user, and today I can’t find any new tickets created, the search always returns 200 empty responses, after posting a new correct ticket, the box has been reset two times… bored

Type your comment> @k30j1 said:

I don’t know why but yesterday I could get the user, and today I can’t find any new tickets created, the search always returns 200 empty responses, after posting a new correct ticket, the box has been reset two times… bored

are you using the right url? one of them tends to not return anything for that request.

Type your comment> @user29 said:

are you using the right url? one of them tends to not return anything for that request.

■■■■, you saved my mind, i feel so stupid x) Thanks man !

Edit : Rooted !

Thanks again user29 and @nicoswd too :slight_smile:

Feel free to pm me for help !

Type your comment> @k30j1 said:

Type your comment> @user29 said:

are you using the right url? one of them tends to not return anything for that request.

■■■■, you saved my mind, i feel so stupid x) Thanks man !

Glad I could help! There were a lot of moments like that for me with this box.

The http and the https ports are closed, even after reset…WTF?

@Dzsanosz They are not open on this machine.

Just completed. Nice box for a rainy Sunday afternoon.
Overall logic seems to be similar to other machines of the author (or its perhaps just a subjective impression of main). I would give it a decent 30 points rather than 40 but its again only my evaluation.

My three cents:

Initial Foothold:
Everything has already been written, including required tooling so I can only confirm that it was the most painful part.

User1:
Evaluate the app, do some googling after evaluating the traffic. There are some nice articles on Internet. Split whats complicated into parts.

User2:
See what else is running on the box. Read some code. Get access. If you cannot break what you need (or it requires to much work) then perhaps just change it. Simple scripting and you are there (you can reuse your tooling from initial foothold).

Root:
Stay where you are. Basic enum and do not be shy, just get in.

The box was quite enjoyable.

Rooted. Very cool machine, PM for hints with where you are and what you’ve done.

Thanks to @bigFish43, @Roinard, and @jhnhnck for the nudges!

After logging into /t*****.*** and raising ticket I have problem with sending actual payloads in CD***. It looks like I can only send ticket once and after that all my attempts to load stylesheet are met with 404 (on my payload server side). Loading them manually from browser works OK. Could anyone nudge me in right direction?

Some notes of mine:

Foothold:
discovering the required info is all about enum, and there are already lots of hints here. Just for getting a shell - I was struggling with numerous of rev shells although i had RCE. Read the docs on the tech/code that is used to execute the payload to understand how it works. Also, there are rev shell examples for this case if you google it.

User2 privesc:

  • no need to crack anything, also no need to break/overwrite what is already there, there is no requirement for unique values so can have multiple of those
  • The best thing to do is to write a script automate this “quick” exploit. You won’t need to be “quick” as the script is fast enough. I was, however, struggling with dates. For some reason the system date is different than web backend date - I’m not sure where that comes from…

Root:
not about enum as some say but about reading carefully all that is not default at home.
then again I made some update to popular enum tool to find similar things - this might be helpful in real life

for accessing the site i have rebuilt the tool that is normally used but even then couldnt get anything out of it need a gaint nudge

Type your comment> @edspiner said:

User2 privesc:

  • no need to crack anything, also no need to break/overwrite what is already there, there is no requirement for unique values so can have multiple of those

Getting user2 on free lab must be a nightmare when you try “breaking” instead going directly for what should be done -:slight_smile:

If anyone is up for helping on initial foothold. I would be happy.
-----------Update:
Got all the way to the next user gui. Need help on beating that famous song made by a killer.