Official CrossFit Discussion

I am trying to find the inital foodhold I already tried to dirsearch, dirbuster ect. but do not find anything. Can someone point to a useful tool :slight_smile:

Could someone give me a little hint with the GET request to get a valid token? PM

rooted. The root part is crazy :slight_smile:

can someone help me with root. analyzing d—g file with ghidra found function p------_d—
what to do next. new to binary exploitation

I now have USER. big thanks to @justAhmed and @luca76.

Working towards root now

rooted. This was very fun, educational and challenging box. Big thanks to @justAhmed and @jkana101 for helping me along the way.

Spoiler Removed

I had to stay awake for a long time but I finally won. Much analysis was required to reproduce the reverse step by step. Amazing. Thank you for this opportunity.

does this machine have something to do with f** if so please help me out. Thank you!!

I can see why this is an insane machine.

I was stumped on root here :smile: . EDITED TO ADD: Rooted now but that was hard.

I think I know what I need to do but I cant get it to work. It doesnt help that I cant seem to get it to give me any troubleshooting data. So there could be a lot wrong with what I am trying but I cant work out what :frowning:

It doesn’t help that the entry I am relying on seems to get wiped every few minutes!

i got root. its really hard box. if you need help you can DM. gl hf @tazwake thanks for i***c user priv. <3

Hi, need some help with something at the first to get the user, can someone pm me ?.

Hi people. Someone could give me a hint to get the user flag, I find myself stalling :frowning:

@Carlos96 said:

Hi people. Someone could give me a hint to get the user flag, I find myself stalling :frowning:

FInd a hash, crack the hash, use the creds.

I’m pretty sure the path to privesc to user i____c is broken. I’m using m____l and the vulnerability in the se^^_u^d^t^s to execute commands but nothing works. Can anyone else confirm this?

@shadowbunny said:

I’m pretty sure the path to privesc to user i____c is broken. I’m using m____l and the vulnerability in the se^^_u^d^t^s to execute commands but nothing works. Can anyone else confirm this?

I dont think that is how I moved from h___ to i____c, at least I dont recognise the obfuscation.

If you have a shell as h____, enumeration shows something which you can read and runs at regular intervals. You can use this to trigger code to your advantage.

Type your comment> @luca76 said:

Could someone give me a little hint with the GET request to get a valid token? PM

I’m looking for the same help. I receive the GET request but nothing is in it. I have tried various payloads and listeners. Please DM me.

Spoiler Removed

Type your comment> @t1b0 said:

I am able to get tokens and POST to create new FTP users without getting “Page Expired”, but I don’t think it creates the users, because the FTP client keeps saying “530 Login incorrect”. I’ve been stuck for 3 days. I feel like there’s a timing brainfuck. Any hints?

I was missing an XHR attribute. It works now.

Type your comment> @TazWake said:

I can see why this is an insane machine.

I was stumped on root here :smile: . EDITED TO ADD: Rooted now but that was hard.

I think I know what I need to do but I cant get it to work. It doesnt help that I cant seem to get it to give me any troubleshooting data. So there could be a lot wrong with what I am trying but I cant work out what :frowning:

It doesn’t help that the entry I am relying on seems to get wiped every few minutes!

i did entry command as some value to the table after i selected the table, it succeed but i failed getting shell, don’t know why, i already planted my rev within the lf** fdm mes* dir , this is insane… i can’t seems to make it work.

EDIT: ROOTED! , finally i found a method to get around it, definitely insane machine!
i’m down to help if any of you guys need it, just PM me.