Official Breadcrumbs Discussion

nice box. i’ve rooted it. thanks @helich0pper PM me for hints

Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

Type your comment> @acidbat said:

Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

Find the answer to your question?

Type your comment> @htbprctc334 said:

Type your comment> @acidbat said:

Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

Find the answer to your question?

Not yet - could be a rabbit or something I haven’t figured out yet :stuck_out_tongue:

This was an awesome box! Everything you need is right in front of you, though you may need to dig deeper.

I did have an issue with one of the services. For some reason, it was returning an error, but after a reset, the problem was fixed.

If you need a hint feel free to PM me.

Really great box @helich0pper!

Type your comment> @acidbat said:

Type your comment> @htbprctc334 said:

Type your comment> @acidbat said:

Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

Find the answer to your question?

Not yet - could be a rabbit or something I haven’t figured out yet :stuck_out_tongue:

rabbit it is

Type your comment> @acidbat said:

Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

I just added it for a more immersive experience:)

Type your comment> @helich0pper said:

Type your comment> @acidbat said:

Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

I just added it for a more immersive experience:)

Cheeky :smiley: - Nice work :slight_smile:

Just a tip so people don’t loose a few hours like me : when it’s time to “pretend”, during the initial foothold phase, you might have to reset the box to make it work. Someone might have done something that makes it impossible for you to pretend to be your target.
Might be a bit cryptic but I don’t want to spoil.

rooted. really fun box with a nice progression through the various steps, thanks @helich0pper!

PM if you need a nudge.

Awesome box ! Your enumeration has to be on point. I enjoyed a lot the last part, the process of setting everything up properly after figuring out what was going on was very satisfying. Thank you @helich0pper

(this is my first Hard box, and I’m finding it a heckuva jump from Medium…!)

Can I request some help with the foothold, please? I’m using burp, and a well documented technique to read files I shouldn’t be able to read, but I’m struggling to identify the right file to read.

For example, I’ve read the contents of db.scriptinglanguage (which, I assume, means my technique is working?), but when I use that same technique to read the files in the scriptinglanguage folder itself, I don’t see the amount of “scripty stuff” in those files that I expected to see.

EDIT: well, this just embarrassing… thanks to @camk , I’ve now realised my initial recon of the box was lacking. Not sure how I managed to screw up that step, but lesson learned - “check your basics, Paddanada!”…

Just Rooted the box it took 4 days to complete. While doing that box i feel like working on real world target. No bruteforce no guess work… You must see everything in technical way.
To solve this box… Must understand the application flow.
Enumeration is the key…
Thank you @helich0pper

rooted! thanks @hb86125295 and @camk for the nudges

After spend a far bit of time on this box it’s clearly going to require more skills then i currently have. For all you that have finished it and have OSCP cert would you say this the kind of box that one should expect to find on that exam?

Hey,
I’ve been working on root but I’m currently stuck.

I’ve seen what’s inside K, and have been trying to read the content of that one table through several means but no luck so far. Is it what I’m supposed to do or am I missing something?

Thanks!

Is RCE on some web site intended way? Got low. priv shell with that

Type your comment> @mach1ne said:

Is RCE on some web site intended way? Got low. priv shell with that

I went this was as well. Now I know there may have been a shorter way with better enumeration, but I have learned some interesting stuff this way too.

I have learned to count from 1 to 4 and was able to find an interesting key, which doesn’t seem to fit in any hole… i would be glad for a nudge.

Edit: rooted

well, despite my faltering start, I’ve completed the box!

The very last step was a bit of a guess inspired by an old Stack Overflow thread, and a helpful error messages from the chef. I found this box to be a very worthwhile to persevere with as there so many facets to it - good stuff, @helich0pper !

Thanks again to @camk for picking me up after I fell at the first hurdle.