Last Active


  • Really enjoyed this challenge. The biggest challenge was to bypass the 'blind' exfiltration and length restriction. Found a nice way to do both with one method. If you've already solved it, I'll happily disclose my method. If not, think about other …
  • Really enjoyed this box. No bruteforce or meaningless guessing is required. Hint for foothold: Enumerate a lot. Maybe look at older versions, commits and issues. Should give you a good start. From there, more enumeration. Explore what you've found…
    in Craft Comment by ollypwn July 2019
  • Very cool box @MrR3boot Really enjoyed the user part, even though it was a headache sometimes lol
    in Player Comment by ollypwn July 2019
  • Very straight forward box. Really liked that no guess work was involved!
    in Jarvis Comment by ollypwn June 2019
  • Type your comment> @Zot said: (Quote) No, Querier is retiring apparently; maybe next week
  • @darkkilla you have everything you need in the user’s folder
    in Chainsaw Comment by ollypwn June 2019
  • Type your comment> @darkkilla said: (Quote) I'm sure no one deleted the user.txt file :)
    in Chainsaw Comment by ollypwn June 2019
  • Starting out
    in Chainsaw Comment by ollypwn June 2019
  • Some people have written to me, but I’ll answer here. I’m currently root on the machine, but there’s a last step. I suggest you to read up on smart contracts. It really doesn’t matter if you deploy your own in this scenario. The idea is to get a …
    in Chainsaw Comment by ollypwn June 2019
  • You really don’t need to decode the bytecode. You got the contract source code. Now pay attention to the contract name and maybe think what the underlying process might do
    in Chainsaw Comment by ollypwn June 2019
  • Any hint on where the uploads go? I'm able to bypass the restrictions - or at least it says so
    in Ghoul Comment by ollypwn May 2019
  • Anyone who wants to discuss this challenge? I have found the flaw, thus having an arbitrary write. Most of the time, you would just overwrite a GOT entry with system or similarly, however, I can't figure out what to overwrite it with in order to exp…
  • Spoiler Removed
  • *Spoiler Removed*
  • Regarding the uploads from admin, one of the listed plug-ins should look different. Look and the info in it and combine it with what you see on the page. Then try to exploit it. Only then will you be able to know about the upload function properly. …
  • Anyone want to discuss the first part? I think I overcomplicated it way too much, and that there is an easier way
    in Kryptos Comment by ollypwn April 2019
  • Finally root. Really nice box @jkr and root was just crazy fun
  • Type your comment> @anamus said: (Quote) If you know how the scripts work, you should be able to tell what happens to your upload - and what doesn't :)
  • Really nice box so far, but I'm stuck in on the priv esc from the shell. Found some interesting files, including the command a****** u***** which under some circumstances can be exploited to gain escalated privileges. However, it seems that the con…
  • Anyone willing to share a hint on the first bit? Idea it is a xor encryption. Decrypting by trying to guess the first header and then guessing the rest of the content slowly while building a key - but it doesn't seem to work with common headers EDI…
  • Honestly, this box is not a guess box. Try use the nikto tool. Should be a really good start for foothold if you look closely at the output.
    in Unattended Comment by ollypwn April 2019
  • Any hints on root?
    in Unattended Comment by ollypwn April 2019
  • Type your comment> @peek said: (Quote) Same. Help would be appreciated
    in Unattended Comment by ollypwn April 2019
  • Soo, I managed to run commands as www-data in a really weird way, but it works. Does anybody want to discuss a more comprehensive or easier way? I can share my way of doing it, but there must be a more easy way. Please PM
    in Unattended Comment by ollypwn April 2019
  • Did anyone else have trouble using the private key for b****n when trying to SSH? It keeps asking me for the password, even though I'm supplying the private key by "-i". Anyone who can help? No error message in verbose mode either. EDIT: …

Howdy, Stranger!

Click here to create an account.