Official Forge Discussion

Official discussion thread for Forge. Please do not post any spoilers or big hints.

Has the forum died??? Not a single comment. I guess everyone is doing Discord now. Well nice box even if I would have rated it as easy and not medium.

Type your comment> @f1rstr3am said: > Has the forum died??? Not a single comment. I guess everyone is doing Discord now. Well nice box even if I would have rated it as easy and not medium. It hasn’t completely died. I’ve been staring at this one forever and I feel like it should be simple but it’s not coming to me.

Type your comment> @f1rstr3am said: > Has the forum died??? Not a single comment. I guess everyone is doing Discord now. Well nice box even if I would have rated it as easy and not medium. hi.hint pls!

Type your comment> @mmd78 said: > hi.hint pls! Have you enumerated subdomains? After that look for a provided way to access said subdomain(s).

Thank you for the box. I had fun with it.

1 Like

Good box. Hint - Don’t trust your browser. That is all you need.

1 Like

User: Enumerate everything and when you find something just follow the path and use resources available. Root: Do what you always should do first and then if you see something that you don’t know what it is learn more about it.

User/foothold: Was hard for me because I have done it for the first time. Enumerate the machine and then try to understand how to exploit it. I had to use some nudges to make it happen. After knowing what to do, it is pretty straightforward. (Look at machine name to get the exploit) Root: the easiest root I have encountered so far. Literally, the first thing I’ve done and tried. Just “break” something and think about what can You do with it.

Type your comment> @gnnr said: > Type your comment> @mmd78 said: > > > hi.hint pls! > > Have you enumerated subdomains? After that look for a provided way to access said subdomain(s). > tnks

> @Dante34 said: > Good box. > > Hint - Don’t trust your browser. That is all you need. tnks for your hint! actually that helps me!

need a nudge!

Hey, My first medium machine, and I’m struggling a little to get any further than the U***** page. Could anyone who’s got the user.txt or rooted, please message me some hints, I’d be very grateful.

Type your comment> @Monicon said: > Hey, > > My first medium machine, and I’m struggling a little to get any further than the U***** page. > > Could anyone who’s got the user.txt or rooted, please message me some hints, I’d be very grateful. I don’t know where you’re stuck But to get a foothold, remember what you have to think about when there is a field that deals with the URL If you need more small hints DM is open

Nice box. Some good hints above too, especially from @f1rstr3am and @N4gi

Got user, now what? lol. The attack surface is so small, I don’t know what to do next on the path for root. Do I still mess with the thing that got me user? Or do I mess around with trying to upload things? Edit: Got root! Hint: Think about what clues in your pocket you haven’t used yet, and look for ways to utilize it (remember what you have access to). After that part, break something!

THIS IS MY HINT

Contributed to giving you that respect. Really nice box that practices the fundamentals. Here’s how to get by: 1. Enumerate ports. 2. DNS translation. 3. Fuzzing. Tip: Small dictionary will suffice. 4. Hardest part of Forge by far: Bypass upload restrictions. Tip: Name of the box should match something in the 2021OWASP top 10. [Foothold] 5. You should have discovered some interesting notes on how to execute commands. 6. List what’s on the box and use that to connect to the box. [User] 7. What can you run as root? 8. Understand what it does. Tip: Don’t play by the rules. 9. Run your privesc. [Root]

1 Like

I’ve enjoyed this box a lot. Hardest part, as usual, was getting a foothold.

1 Like

User was so fun! Congrats @NoobHacker9999 !! the forum hints have been helpful :wink:

1 Like