Quick

Type your comment> @chonmayo said:

@TazWake said:
@user29 said:

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

It is a bit of “guess the email” but this is pretty much the crux of enumeration. There is enough information available on the various bits you have access to, so that you can “guess” the email you need.

However, it might be better to use the information to create a wordlist then try a password spray attack.

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

I had to try about 20k combinations before getting it, for what it’s worth

Would someone mind taking a look at my e-mail creating script and help point me to what I’m doing wrong?

EDIT: Got it, thanks to the nudge from @jhnhnck. On to user!

Anyone got any tips for root? I am just absolutely clueless as for what to do here, which is weird because according to everyone else this is the easiest part…

Okay my tip is KISS

I don’t know why but yesterday I could get the user, and today I can’t find any new tickets created, the search always returns 200 empty responses, after posting a new correct ticket, the box has been reset two times… bored

Type your comment> @k30j1 said:

I don’t know why but yesterday I could get the user, and today I can’t find any new tickets created, the search always returns 200 empty responses, after posting a new correct ticket, the box has been reset two times… bored

are you using the right url? one of them tends to not return anything for that request.

Type your comment> @user29 said:

are you using the right url? one of them tends to not return anything for that request.

■■■■, you saved my mind, i feel so stupid x) Thanks man !

Edit : Rooted !

Thanks again user29 and @nicoswd too :slight_smile:

Feel free to pm me for help !

Type your comment> @k30j1 said:

Type your comment> @user29 said:

are you using the right url? one of them tends to not return anything for that request.

■■■■, you saved my mind, i feel so stupid x) Thanks man !

Glad I could help! There were a lot of moments like that for me with this box.

The http and the https ports are closed, even after reset…WTF?

@Dzsanosz They are not open on this machine.

Just completed. Nice box for a rainy Sunday afternoon.
Overall logic seems to be similar to other machines of the author (or its perhaps just a subjective impression of main). I would give it a decent 30 points rather than 40 but its again only my evaluation.

My three cents:

Initial Foothold:
Everything has already been written, including required tooling so I can only confirm that it was the most painful part.

User1:
Evaluate the app, do some googling after evaluating the traffic. There are some nice articles on Internet. Split whats complicated into parts.

User2:
See what else is running on the box. Read some code. Get access. If you cannot break what you need (or it requires to much work) then perhaps just change it. Simple scripting and you are there (you can reuse your tooling from initial foothold).

Root:
Stay where you are. Basic enum and do not be shy, just get in.

The box was quite enjoyable.

Rooted. Very cool machine, PM for hints with where you are and what you’ve done.

Thanks to @bigFish43, @Roinard, and @jhnhnck for the nudges!

After logging into /t*****.*** and raising ticket I have problem with sending actual payloads in CD***. It looks like I can only send ticket once and after that all my attempts to load stylesheet are met with 404 (on my payload server side). Loading them manually from browser works OK. Could anyone nudge me in right direction?

Some notes of mine:

Foothold:
discovering the required info is all about enum, and there are already lots of hints here. Just for getting a shell - I was struggling with numerous of rev shells although i had RCE. Read the docs on the tech/code that is used to execute the payload to understand how it works. Also, there are rev shell examples for this case if you google it.

User2 privesc:

  • no need to crack anything, also no need to break/overwrite what is already there, there is no requirement for unique values so can have multiple of those
  • The best thing to do is to write a script automate this “quick” exploit. You won’t need to be “quick” as the script is fast enough. I was, however, struggling with dates. For some reason the system date is different than web backend date - I’m not sure where that comes from…

Root:
not about enum as some say but about reading carefully all that is not default at home.
then again I made some update to popular enum tool to find similar things - this might be helpful in real life

for accessing the site i have rebuilt the tool that is normally used but even then couldnt get anything out of it need a gaint nudge

Type your comment> @edspiner said:

User2 privesc:

  • no need to crack anything, also no need to break/overwrite what is already there, there is no requirement for unique values so can have multiple of those

Getting user2 on free lab must be a nightmare when you try “breaking” instead going directly for what should be done -:slight_smile:

If anyone is up for helping on initial foothold. I would be happy.
-----------Update:
Got all the way to the next user gui. Need help on beating that famous song made by a killer.

I hava a default password and I try to get email
I try a lot for generate emails but nothings success
anyone can help me

@0xRick99 said:
I hava a default password and I try to get email
I try a lot for generate emails but nothings success
anyone can help me

Some country TLDs can’t be registered under directly. There are instead some generic/default second level domains which you would register a site under.

Rooted! Very hard for me, but it is an amazing box! Congrats again @MrR3boot !!

Thanks for all the hints!

Anyone available for a nudge on root ?