Official Proper Discussion

Now that you said it I’m starting to recall very very slightly… still missing a blib.

user own.
Took me 4 evenings !
Thank you for those who helped me (special thank to @bashketchum ).

Thank you @xct and @jkr, you’re good! I think it’s the box I liked the most so far; definitely learnt a lot!

Came back after a few days away. user was glorious. getting that to work was an awesome feeling. I’m pretty close to root, I just haven’t nailed it yet. This one is an easy favorite of mine.

Finally rooted, more then a week later. Definitely loved it! Learned so much from this one.

A lot of you are sending me PM: it’s ok, I’m happy to help, but mind that I have a job, and this habit of sleeping every now and then, so please be patient. Also I’m not willing to just spoil the box: ask for specific question, not just “What should I do?” or “Why this isn’t working?”. And be prepared for cryptic hints, not solutions :wink:

After a week full of action and “try & error” got user access to the box but BTH-Portal unfortunately doesn’t accept the content of “user.txt” as flag :frowning:

Took me a lot of time and a small hint, but I got user. What a fantastic box! Trying to get root now but I’m very new to Windows PrivEsc. If anyone can help me out, that would be great!

User hints (trying not to spoil anything): The obvious path is indeed the path you need to take. The way to get access is what you initially thought: be sure to thoroughly research the way you intended to gain access. You might have missed something :slight_smile:

Struggling to get root on this. I’ve tried whatever in my knowledge to go ahead, but i think that i’m again banging on my lack of skills in binary exploitation…any nudge would be really appreciated…

Rooted this box. Great experience and a lot of fun. Thanks @jkr and @xct! The learning has been through the roof!
For root:
There’s more than one way to solve it. Both require the same path.

Managed to get the root flag without a shell. Really fun box, thanks @jkr and @xct. I learned heaps.

Hello, I’ve managed to crack the hash but I’m not able to bypass the filter. Could anyone give me some nudge in this step pls :slight_smile:

I can get foothold/user, and can go see where the two exe’s of interest are, and how they are connected. But I do not understand what I am looking at, my Win-fu is lacking. How would a Unix person conceptualize what is going on there and how to think about potential vulns? (Tried seeing if I could RE them but that did not work well, so do not have any insight into wtf is going on between those two.)

stucked in foothold any one please help me

Amazing box! Loved every step
User: once you have something to read in front of you, read it carefully.
Root: all you need is there, just connect the dots, maybe a windows box can help understand what’s going on :slight_smile:

Starting this one. Wish me luck guys ! :smile:

Foothold : some web service with obscure protected salted encoded input for use in a kali tool to walk databases. Need to produce an error to get salt. Next access point is the same method but with a different attack. Same way. Produce an error on service.

EDIT : I don’t know how to inject payload. http is not allowed. :neutral:
EDIT2 : No way to RFI in s—a. s–client in local shell works properly :neutral: Does theme accept backslashes and slashes ? I have issue with backslashes. Slashes doesn’t work either. Can someone say me what is correct ? When I use nc on port 445, i see the request, so the problem is targeting include header. Any ideas, pals ?
EDIT3 : Well I don’t understand the s-- url format. I runned a php script on another machine with same result. Tried doubling antislashes with no success :cry: Running s–client is ok.

@kshitizkr6003 said:
stucked in foothold any one please help me

See my comment :smile:

Hello guys,

I reached the panel. I know what the vulnerability in the panel is and how to exploit it, but the payload I created does not work properly. Can you help me?

Hi,

I got the user flag it was a pretty grueling process for me :neutral: Took me 4 evenings !

Now the root user is next.

Hint for user
  • Scan the directories on the site in detail (gobuster, dirb, wfuzz)
  • At the end of the scanning process, you will get a directory. (l******s)
  • Source codes on the site can direct you to different pages
  • All you need in this process is you and python ( maybe smbserver :wink: )
  • Feel free to PM for help.

I would like to write more but I’m afraid of spoilers

Not entirely sure I understand the path to foothold. I intercepted and played with it instantly which revealed the formula. However, I always get a 500 internal error if the arg is not id+desc … Is this a server restart or am I missing something

Update

Foothold: Don’t forget to parse_quote if you see 500

Hi! Step by step I am going through this machine, and I get stuck on every step for some time. Currently I am at the theme park trying to get on the ride (is this the way to avoid spoilers?) I can get something through using the famous dance, but nothing executable. Is there a need to bypass the “filter” for RCE, or is there some other way to gain access to the machine?

EDIT: nvm, got it. That was fast.

Hi! After several weeks of hard work with @camk’s support, I got the root flag back. Thanks to @jkr and @xct and @camk :slight_smile: for this machine. I learned a lot of new things.