Official Breadcrumbs Discussion

Could I grab a foothold nudge, first hard machine and im struggle streeting it. I have my magic scrying orb, but its a little foggy, anyone able to provide some clarity

edit: Ahhh yes, i walk away from the keyboard for 10 mins and i solve it. My crystal ball got alot clearer and i now see the crumbs

I’m having a bit of trouble with the final (I hope) stage of this box. I have got the ELF file and have examined that to get access to a certain web site and have an AES key but I don’t appear to have anything to use it with. Not sure if I need the master key for the ELF file or not.

Any nudges would be most appreciated.

Type your comment> @sloth1985 said:

I’m having a bit of trouble with the final (I hope) stage of this box. I have got the ELF file and have examined that to get access to a certain web site and have an AES key but I don’t appear to have anything to use it with. Not sure if I need the master key for the ELF file or not.

Any nudges would be most appreciated.

Scratch that, Now managed to get root.

Hey all

I am having some trouble with the initial foothold, I’ve done my ennumeration and have an attack in mind, but I need to do something else first for it to work

I think I know what to do but I don’t know how to do it.
don’t want to get into any details here in public, but if someone could DM, or offer to help with just initial part I’d really appreciate it.

Not usually posting, but I just rooted the box, and I wanted to say to anyone reading to NOT put too much thoughts into the hints given here, especially for root.
All this stuff about a recipe, Chef and the stew stuff… It’s an unnecessary (and involuntary) rabbit hole. Also, automated enumeration is great, but you actually don’t need it here (for the last part of root).
Great box, by the way!

Finally got root. thanks to also help from others. If you need help, msg me. Biggest hint at least to get user is the name of box itself. You be a bird.

Wow, just finished this and what a fun box it was!
This was my first Hard box after picking through some Mediums confidently, and thought I’d leap in and give it a go.

Initially I was overthinking how devious the vulnerabilities were going to be and overshot the first one until I realised it was staring me right in the face. Once I got into the swing of things, I kept finding the breadcrumbs and true to their name, turned it into a fun trail of different classes of security flaw and bypass technique.

I think this was probably my favourite box to date - thanks Helich0pper!

Hey if anyone can help me with the later part of user please message me.
I do like this box so far-it is difficult but teaching me a lot.

I got initial Shell but i struggle to get Users flag.
please give me thips…

Playing with the token using the tool and examining it with burp. Reluctantly I read though the forum and I get the pretending/lie I have to tell the server but when I change the username field I get a dud…Am I in a rabbit hole?

Very fun machine so far, but even though I’m running a personal instance I’ve had two issues that were solved with a reset:

When I initially started the machine there were no services listening on IPv4, except for the usual OS stuff. There is a way to retrieve the IPv6 address, which did have services. I was proud to have have figured that out but after a reset there suddenly were things listening on IPv4. Still somewhat proud for finding out that workaround though.

The second time is where you’re sure you got all the information to make an educated guess for something. But… I got nothing. Until I did another reset. The machine wasn’t even running for very long so I don’t think anything expired.

So: when I doubt, reset :stuck_out_tongue:

Hey all, I have just finished the machine. One of my favourite machines. Many thanks to Camk and Helich0pper!
If anyone needs help, no problem, contact me

I think i’m doing things complicated (as always :blush: ). Therefore I managed to encode token. I’m uploading RCE directly with curl on controller but I get this message.

Fatal error: Uncaught Firebase\JWT\BeforeValidException: Cannot handle token prior to 2021-06-03T20:45:46+0200

I’m sure there a simpler solution :wink: but have you any idea about date control in Firebase ?

EDIT : Well I know why and there is a simpler access point :blush: My token generated online was very tricky. I finally generated one with kali tool. So it appears that I need an admin PHPSession hash and the correspondent token at same time.

Now I’m trying to understand how to upload a fake zip. It seems that a real zip is needed not just the name :neutral:

EDIT2 : I just understood b*** interceptor usage to repeat http request but no way to bypass file check modifying content-type and task name. What am I doing wrong ??

EDIT3 : got user. Very interesting box. Needed to enumerate enough. Bruteforcing user password with template becomes possible. I don’t know why RCE vulnerability upload works with html. :neutral: Let’s go to root journey. See a bunch of passwords for different services.

EDIT4 : any nudge for root ? Tried Metasploit escalation, AV bypass, user and www-data enumeration, saw SMB shares but no access rights. What am I suppose to do with password field of users table, and with develop**** user ?

EDIT5 : got root. Not easy for my level, but I learned a lot. PEAS tool doesn’t work. I don’t know why. The clue is in an obsure note file of a windows app. But the journey doesn’t stops there and there is more steps. Need for ssh tunneling to use kali tools.

So i’ve pretended successfully and followed the breadcrumbs, but im stuck on the form that im pretty sure i need to use to get a shell, keeps erroring out no matter what I do when i try to use it. Did i miss something?

Type your comment> @sirtel said:

So i’ve pretended successfully and followed the breadcrumbs, but im stuck on the form that im pretty sure i need to use to get a shell, keeps erroring out no matter what I do when i try to use it. Did i miss something?

Maybe you can have something that acts as a proxy in-between…

Been doing that, Ill try more things. Cant get even my tests to go through, something about a title

Hello,
I hope I’ll find some help :confused:
I think I enumerated well, found some secrets, J** and C***ies I can encode/decode… but when I try to take advantage of Paul permission, I get : Undefined array key “username” in the controller file… while I can run the same validation method on my machine with no problem.
I hope someone can tell me what am I missing…

Thanks!

Type your comment> @Xcalibure said:

Hello,
I hope I’ll find some help :confused:
I think I enumerated well, found some secrets, J** and C***ies I can encode/decode… but when I try to take advantage of Paul permission, I get : Undefined array key “username” in the controller file… while I can run the same validation method on my machine with no problem.
I hope someone can tell me what am I missing…

Thanks!

When PHPS***** is correct you see the name of user in Portal page. Until there that cookie is incorrect. First vulnerability on app show you the encode logic to build the cookie. One random letter of the username is used in the encoding.

Rooted.
Amazing box. I think one of my favorites so far.

Type your comment> @dylvie said:

Type your comment> @Xcalibure said:

Hello,
I hope I’ll find some help :confused:
I think I enumerated well, found some secrets, J** and C***ies I can encode/decode… but when I try to take advantage of Paul permission, I get : Undefined array key “username” in the controller file… while I can run the same validation method on my machine with no problem.
I hope someone can tell me what am I missing…

Thanks!

When PHPS***** is correct you see the name of user in Portal page. Until there that cookie is incorrect. First vulnerability on app show you the encode logic to build the cookie. One random letter of the username is used in the encoding.

Hello Dylvie,
thank you for your input; was trying directly from burp so didn’t have an eye on this. I believe I have spot the logic to create the cookie, token … So i’ll retry and keep you updated.

Thanks you again.
B/R