Love it so far! It’s been a while since I’ve seen the initial vulnerability done as something that wasn’t a throwaway challenge. maybe the user/root will be a CTF nightmare, but rn this is a great time <3
Yeah, loved it as well! I can’t even remember another box with this type of vulnerability (the user foothold), but I bet it’s pretty common in the real world.
Came back after a few days away. user was glorious. getting that to work was an awesome feeling. I’m pretty close to root, I just haven’t nailed it yet. This one is an easy favorite of mine.
Finally rooted, more then a week later. Definitely loved it! Learned so much from this one.
A lot of you are sending me PM: it’s ok, I’m happy to help, but mind that I have a job, and this habit of sleeping every now and then, so please be patient. Also I’m not willing to just spoil the box: ask for specific question, not just “What should I do?” or “Why this isn’t working?”. And be prepared for cryptic hints, not solutions
Took me a lot of time and a small hint, but I got user. What a fantastic box! Trying to get root now but I’m very new to Windows PrivEsc. If anyone can help me out, that would be great!
User hints (trying not to spoil anything): The obvious path is indeed the path you need to take. The way to get access is what you initially thought: be sure to thoroughly research the way you intended to gain access. You might have missed something
Struggling to get root on this. I’ve tried whatever in my knowledge to go ahead, but i think that i’m again banging on my lack of skills in binary exploitation…any nudge would be really appreciated…
Rooted this box. Great experience and a lot of fun. Thanks @jkr and @xct! The learning has been through the roof!
For root:
There’s more than one way to solve it. Both require the same path.
I can get foothold/user, and can go see where the two exe’s of interest are, and how they are connected. But I do not understand what I am looking at, my Win-fu is lacking. How would a Unix person conceptualize what is going on there and how to think about potential vulns? (Tried seeing if I could RE them but that did not work well, so do not have any insight into wtf is going on between those two.)
Amazing box! Loved every step
User: once you have something to read in front of you, read it carefully.
Root: all you need is there, just connect the dots, maybe a windows box can help understand what’s going on
Foothold : some web service with obscure protected salted encoded input for use in a kali tool to walk databases. Need to produce an error to get salt. Next access point is the same method but with a different attack. Same way. Produce an error on service.
EDIT : I don’t know how to inject payload. http is not allowed. :neutral:
EDIT2 : No way to RFI in s—a. s–client in local shell works properly :neutral: Does theme accept backslashes and slashes ? I have issue with backslashes. Slashes doesn’t work either. Can someone say me what is correct ? When I use nc on port 445, i see the request, so the problem is targeting include header. Any ideas, pals ?
EDIT3 : Well I don’t understand the s-- url format. I runned a php script on another machine with same result. Tried doubling antislashes with no success Running s–client is ok.
I reached the panel. I know what the vulnerability in the panel is and how to exploit it, but the payload I created does not work properly. Can you help me?
Not entirely sure I understand the path to foothold. I intercepted and played with it instantly which revealed the formula. However, I always get a 500 internal error if the arg is not id+desc … Is this a server restart or am I missing something
Update
Foothold: Don’t forget to parse_quote if you see 500
Hi! Step by step I am going through this machine, and I get stuck on every step for some time. Currently I am at the theme park trying to get on the ride (is this the way to avoid spoilers?) I can get something through using the famous dance, but nothing executable. Is there a need to bypass the “filter” for RCE, or is there some other way to gain access to the machine?