Crackception challenge was typo in flag one that we get from cracked keepass file. In flag one password there is key******* and should be kee********
Scratch and Sniff challenge has broke elevation permission, can directly go to sudo root so, people don’t need to use any escalation just read directly flags.
Box full of recon Challenge First flag is i think wrong or misleading question.
Burping Sauce cant be loaded (page just loading and nothing). Tried three different browsers and DNS, VPN.
Encoder Switch challenge - we just need to open the link mention in second line and we have flag.
Still doing other challenges so will update here.
Crackception flag one was fixed, key***** should work in the system.
Box full of recon: (fix to be pushed)
Burping sauce: Can you elaborate a bit more? (ie: http 404)…Revisiting the page in the bookmark and intercepting the request in burp should indicate the path to look next. A header value should be appended when you revisit.(ie: just go back to the page again)
I believe the issue with Burping Sauce is that once you get to the PHP page with the first flag, loading access.log and error.log hangs up. It’s either that or I am stuck. @Josip Can you confirm this is the issue you are experiencing?
Thanks.
Another lab with a bit issue with wording(Jumping the Wireshark):
Correct answer is first and the last packet times.
It was a bit obvious as first 20 packages have same time so, I stretched my head and tried last packet time and worked.
Another challenge
Active Directory Basics 1.3
First GUI device has flag.bat looking for wrong group as the instructions are asked to make Evil group not Heroes group.
If we do the steps from Powershell devices, all goes fine.
This challenge has a bit misleading expected entry:
The answer expects four characters, now to elaborate, I will be using wrong encoding answer. If the answer was UTF-32 we are expected to enter in the text field UTF32 without “-” while this might be valid to form, it is not correct and people will get confused.
we are asked about questions contained in d.ps1 but the code on right side is from first challenge and there is no reference to anything like d.ps1. Unless I am missing something, they copied wrong code from 1st challenge spiny shell
Is the Burping sauce challenge fixed? I’m not sure the instructions make a lot of sense.
Bypass the first hurdle by capturing and decoding a cookie (user_auth). - Found using decoder and then encoding to a new value that would be successful (boolean)
The next hurdle is to find an older version on the login page. Don’t try to brute force it. You’ll find a clue in the HTML. - Found the comment about the old page
On the older version of the login page there is a password. - I believe this is the commented code on the old login page, right? It’s 4 workds put together… Right? But at no point does it ever ask for this later on and since there’s no indication on what username is, I’m not sure how we’re supposed to log in. There was an “~admin” snippet in one comment but that doesn’t help. Are we ever supposed to log in with this password?
On the “SERVER STATUS” page you will find the first flag. Take note of the way files are accessed from this page! Do you suppose this page is vulnerable to command injection? - I have reached a server-status page, but nothing indicates a flag, definitely does not match the pattern in Answer Microsoft Azure Administrator (AZ-104)
Find the secret directory and the text file to obtain the second flag. - I guess maybe this is where I’m stuck.
I tried using techniques that did not try brute forcing to find this hidden directory, but nothing seemed to work.
Changes I made didn’t take in the system but upon further review, you don’t even need to view the log files to complete the challenge. This due to the nature of the vulnerability.
On the older version of the login page there is a password. - I believe this is the commented code on the old login page, right? It’s 4 workds put together… Right? But at no point does it ever ask for this later on and since there’s no indication on what username is, I’m not sure how we’re supposed to log in. There was an “~admin” snippet in one comment but that doesn’t help. Are we ever supposed to log in with this password?
Why wouldn’t it help?
Try the obvious stuff, because lots of its things (are) at face value. Don’t think too deeply. Lotta times people leave notes and clues when hodgepodge creating stuff.
On the “SERVER STATUS” page you will find the first flag. Take note of the way files are accessed from this page! Do you suppose this page is vulnerable to command injection? - I have reached a server-status page, but nothing indicates a flag, definitely does not match the pattern in Answer>
So you managed to access the server status page correct and solved the first aspect of this challenge? There is supposed to be a hardcoded flag on the puz***.php page. It’ll be painfully obvious and should be the top line.
Find the secret directory and the text file to obtain the second flag. - I guess maybe this is where I’m stuck.
How would you view directories (potentially hidden) on a linux or unix file system? No brute forcing or automated tools are required for any of this.
Consider the nature of the vulnerability first and foremost.
I’m not sure what happened the first time I tried logging in, but when I used the username (with and without the ~), it failed. Maybe I copied the PW incorrectly. Anyway, I’m logged in.
I get that you’re providing examples of path traversal, but I guess my original question still stands - was this ever updated? 22 days ago it was stated that it would be pushed. Has that happened?
All the modifications should have transferred over week or so ago but gremlins could have caused issues here or there.
I peeked back into it today from the student-side of things (thru the learner panel), the issue with log files will not stop you at-all from completing the challenge.
Sorta spoiler?
It’s not an LFI. Even with an LFI or Directory Traversal, it should still function…though that isn’t the intended route with this and there isn’t a wordlist that exists that’ll help you find the hidden directory.
In general, if you’re doing any sort of file read or even an injection attack on an application… (no output) can generally be interpreted as either:
The system accessing the resource does not have permissions
The resource doesn’t exist
Output is going to a file descriptor that is not being presented
If you find yourself wanting to use automated tools…step back and keep things more basic.
