Official Cereal Discussion

Type your comment> @Caracal said:

@luca76 said:

guys can anyone help me to root? PM me

PM if you want, i’ll help on root.

thanks Bro, you have a PM :wink:

Anyone have hints for 403 Forbidden

So, I’m pretty sure I know what to do. I can create cereals, but when I try to list or get them, the request simply times out (after I managed to get around the 403).
Anyone an idea what I might be doing wrong, here?

EDIT(h says):
Seems like I forgot a newline. But now I can’t get around the 403 (even though I added the respective (plus some more) headers) :confused:

I had some tips from someone who did this box, but they don’t seem to work anymore. There is a field that is vulnerable to XSS (and yes I can get a response back to me). Tried to insert javascript with XMLHttpRequest to trigger my payload but without success. Who has some tips?

And things that seems to works, does not work an other time. Sometimes it can take a while before I get a response.

Is someone willing to help me on getting a good token? I can’t get a valid Sig******. Thanks in advance.

I wrote a python script using a particular library to generate the token with the attributes I think are correct according to the source.

Look at old git commits. And add an exp field…

@gh0stm5n I got that part already. Right now I’m trying to get through the 403 when I try to GET some cereals so I can start, maybe, working on an exploit.

I got user. Working on root. I saw my user can get some j**** p****** but I think the default C**** isn’t working, gonna try getting another one. Any ideas? Can’t get it to work.

Type your comment> @eagle005 said:

Can i get any hints i am stuck at building a valid token.

Still, I am not able to get a valid token any nudges?

Spend a few weeks now to get pass the localhost restriction. None of the javascript I tried, triggers my payload. So I quit and wait for the IPPSEC video…

Type your comment> @gh0stm5n said:

Spend a few weeks now to get pass the localhost restriction. None of the javascript I tried, triggers my payload. So I quit and wait for the IPPSEC video…

I am in quite the opposite situation. I know a way to trigger a payload but can’t for my life figure out a meaningful one, the only one I have working locally is pointless. Any nudge for this would be appreciated. Never been this stuck, my brain hurts…

After hours and hours payload works locally, trigger works locally, bute remote nothing and Im blind. This is pain. Pure pain.

It took me about two weeks of on & off work, but I finally got user. That was surprisingly difficult but largely because I made two mistakes without realising it.

First - I focussed on the tool often used for this and overlooked the fact it doesn’t work - for a long time. When I moved to a more bespoke approach it worked.

Secondly - I should have given up on using burp earlier on. It’s much easier to script it, I was just being lazy and ended up spending way more time than I should have.

Rooted. The good news is privesc is less complex than getting user. Enumeration is 100% the key (and I don’t mean just looking for passwords all over the place).

Look at what the box is doing - it helps if you’ve seen it before - look for how it can be exploited. Look at what your account can do. Then, if you are a gardener, there is something which is often useful on windows boxes.

Rooted, It looks like insane box, more than hard for me.
Happy to help >>> PM for hints.

Someone can nudge me up? I got a feelin, type-of hs256, but I don’t really understand it.

@gh0stm5n said:
There is a field that is vulnerable to XSS (and yes I can get a response back to me).
Yea well I can’t!

Finally got user after many wrong turns and rabbit holes, and learning a lot. Thanks @TazWake for patiently answering all my questions.

This may be one of my favourite boxes. Great fun from foothold to root