Official Cereal Discussion

Look at old git commits. And add an exp field…

@gh0stm5n I got that part already. Right now I’m trying to get through the 403 when I try to GET some cereals so I can start, maybe, working on an exploit.

I got user. Working on root. I saw my user can get some j**** p****** but I think the default C**** isn’t working, gonna try getting another one. Any ideas? Can’t get it to work.

Type your comment> @eagle005 said:

Can i get any hints i am stuck at building a valid token.

Still, I am not able to get a valid token any nudges?

Spend a few weeks now to get pass the localhost restriction. None of the javascript I tried, triggers my payload. So I quit and wait for the IPPSEC video…

Type your comment> @gh0stm5n said:

Spend a few weeks now to get pass the localhost restriction. None of the javascript I tried, triggers my payload. So I quit and wait for the IPPSEC video…

I am in quite the opposite situation. I know a way to trigger a payload but can’t for my life figure out a meaningful one, the only one I have working locally is pointless. Any nudge for this would be appreciated. Never been this stuck, my brain hurts…

After hours and hours payload works locally, trigger works locally, bute remote nothing and Im blind. This is pain. Pure pain.

It took me about two weeks of on & off work, but I finally got user. That was surprisingly difficult but largely because I made two mistakes without realising it.

First - I focussed on the tool often used for this and overlooked the fact it doesn’t work - for a long time. When I moved to a more bespoke approach it worked.

Secondly - I should have given up on using burp earlier on. It’s much easier to script it, I was just being lazy and ended up spending way more time than I should have.

Rooted. The good news is privesc is less complex than getting user. Enumeration is 100% the key (and I don’t mean just looking for passwords all over the place).

Look at what the box is doing - it helps if you’ve seen it before - look for how it can be exploited. Look at what your account can do. Then, if you are a gardener, there is something which is often useful on windows boxes.

Rooted, It looks like insane box, more than hard for me.
Happy to help >>> PM for hints.

Someone can nudge me up? I got a feelin, type-of hs256, but I don’t really understand it.

@gh0stm5n said:
There is a field that is vulnerable to XSS (and yes I can get a response back to me).
Yea well I can’t!

Finally got user after many wrong turns and rabbit holes, and learning a lot. Thanks @TazWake for patiently answering all my questions.

This may be one of my favourite boxes. Great fun from foothold to root

Could use a root nudge, can’t tell if I’m stuck in a g*****l rabbit hole.

Can someone DM me with a hint on the whitelisting.
Edited: nvm

@TazWake said:
Look at what the box is doing - it helps if you’ve seen it before - look for how it can be exploited. Look at what your account can do. Then, if you are a gardener, there is something which is often useful on windows boxes.

I’m trying some fries with that but I get the usual “recv failed”, which I believe you’re mostly supposed to get if someone fixed the hole. Maybe I need a different family. Or was that an unintended way and the machine was patched?

User was insanely hard for me, probably took me more than 20 hours in total but at least I learned a gigaload for j**. Likely off-topic, but what are the chances one might come across something like this machine in an OSCP exam?

@Exci said:

I’m trying some fries with that but I get the usual “recv failed”, which I believe you’re mostly supposed to get if someone fixed the hole. Maybe I need a different family. Or was that an unintended way and the machine was patched?

I used the generic one and as far as I know it still worked as recently as last week.

solved. yes even i felt user was > root. Name of box is de synonyms to what you need to do to get shell. Need help? DM

I’m stuck at the point where I’m sending JSON to the Req**** endpoint. I think I have the right auth token but I’m getting 400 validation errors. I’m using python json.dumps to make the payload with the four keys - anyone able to give a hint?