Official Reel2 Discussion

There’s a hidden site - still not sure if it’s a rabbit hole but the source code is online so it’s at least halfway easy to maybe find a foothold there…

Stuck, any hint would be welcome.
From the looks of it only 8 users have user so far. :open_mouth:

hmm
Wonder if /supbx is the way in?
some kind of S
L
wizardry …

I successfully implemented a cookie stealer utilizing hashtag.php. So far, only snarfed my own cookie. The only place I can even get an href to render properly is my profile website. :confused: I don’t think this is a spoiler because it helps with absolutely nothing, more like a “don’t waste your time” spoiler.

Type your comment> @Zot said:

I successfully implemented a cookie stealer utilizing hashtag.php. So far, only snarfed my own cookie. The only place I can even get an href to render properly is my profile website. :confused: I don’t think this is a spoiler because it helps with absolutely nothing, more like a “don’t waste your time” spoiler.

For get a cookie just go on inspection browser and then on console and write “window.cookie” or tab storage cookie

well… now that i have creds, i feel even more lost than before.

Wtf winrm? rabbit hole? I have valid credentials :neutral:

Type your comment> @zer0bubble said:

well… now that i have creds, i feel even more lost than before.

As in you made yourself an account, or found some somewhere?

Edit: I don’t speak this language. I don’t think I need an exploit, per se.

Edit: If anyone is on here that has gotten a foothold, am I supposed to chase the “bad” exploit, or am I way off base?

Love the Swedish\Scandi names @cube0x0 :smiley:

enter in the wastant messenger so what to do now!! tried everything to get the shell!!
bot no use!!

Got creds to something (not the social media site), and I think I know what I’m supposed to do, but everything I’ve tried so far hasn’t worked. And I’m about to throw in the towel.

Finaly got user pff! @S1ckB0y tnx for the headsup when i was stuck.

is something broken, I can log into (not social site) but am greeted with an error.

Type your comment> @luca76 said:

Type your comment> @Zot said:

I successfully implemented a cookie stealer utilizing hashtag.php. So far, only snarfed my own cookie. The only place I can even get an href to render properly is my profile website. :confused: I don’t think this is a spoiler because it helps with absolutely nothing, more like a “don’t waste your time” spoiler.

For get a cookie just go on inspection browser and then on console and write “window.cookie” or tab storage cookie

No luca, I wasn’t trying to get my cookie, I was trying to steal whoever was in charge of the support boxes cookie. It’s all good, I got user now. To anyone reading this, FORGET ABOUT COOKIES! (like Luca said)

Type your comment> @Zot said:

Type your comment> @luca76 said:

(Quote)
No luca, I wasn’t trying to get my cookie, I was trying to steal whoever was in charge of the support boxes cookie. It’s all good, I got user now. To anyone reading this, FORGET ABOUT COOKIES! (like Luca said)

I have the user too, and I have a shell, but it’s not easy anyway, in fact I would say that now the road is uphill for me, I’m not good with P **** s *** l

managed to read the root.txt but didnt get a root shell. Anyone who managed to get a rootshell? :slight_smile:

I’ve been in a shell for two days without being able to do ■■■■, but what fucking witchcraft is this?

rooted without root shell. I don’t think this box could pop root shell, since we’re limited function :slight_smile:

Interesting, I have a fully functional user shell but not super clear atm where to go next.

Type your comment> @luca76 said:

Type your comment> @Zot said:

Type your comment> @luca76 said:

(Quote)
No luca, I wasn’t trying to get my cookie, I was trying to steal whoever was in charge of the support boxes cookie. It’s all good, I got user now. To anyone reading this, FORGET ABOUT COOKIES! (like Luca said)

I have the user too, and I have a shell, but it’s not easy anyway, in fact I would say that now the road is uphill for me, I’m not good with P **** s *** l

I’ve never used the… restricted environment (if you’ve made it to that user, which you probably have). So this is just going to be a lesson for me. As soon as I got user level access I busted out meterpreter. So navigating the system has been a breeze, but yeah, gotta study the docs for je******** you know.