Vault

1356713

Comments

  • @Opaque said:

    @Skunkfoot said:

    @J0rdan said:

    @Skunkfoot said:
    Don't get tunnel-visioned on the login page

    as i did and lost several hours

    "lost" is a relative term. Edison discovered 1 million ways to NOT make a lightbulb before he found one that worked. :bleep_bloop:

    the one that worked was to steal it from Tesla lol

    lol whatever works!

    @n1b1ru said:

    @Skunkfoot said:
    Do some research on how to bypass file upload extension filters. Once you figure out what types of files you can upload, the rest should be pretty simple.

    Yep. Anyway I tested all the techniques with no success

    I'm betting you missed one. Try harder. ;)

    --Skunkfoot

  • Hm, any hints for lateral movement?
    Got a shell as d**e, I found some creds aswell, got some interesting ips, yet I am not quite sure how to access those and the password I found does not work with the "DNS + Configurator" server.

    Did I skip anything worth looking at?

    avoidy

  • edited November 2018

    @avoidy said:
    Hm, any hints for lateral movement?
    Got a shell as d**e, I found some creds aswell, got some interesting ips, yet I am not quite sure how to access those and the password I found does not work with the "DNS + Configurator" server.

    Did I skip anything worth looking at?

    Have you done Poison yet?

    --Skunkfoot

  • @Skunkfoot said:

    @Opaque said:

    @Skunkfoot said:

    @J0rdan said:

    @Skunkfoot said:
    Don't get tunnel-visioned on the login page

    as i did and lost several hours

    "lost" is a relative term. Edison discovered 1 million ways to NOT make a lightbulb before he found one that worked. :bleep_bloop:

    the one that worked was to steal it from Tesla lol

    lol whatever works!

    @n1b1ru said:

    @Skunkfoot said:
    Do some research on how to bypass file upload extension filters. Once you figure out what types of files you can upload, the rest should be pretty simple.

    Yep. Anyway I tested all the techniques with no success

    I'm betting you missed one. Try harder. ;)

    Finally I discovered it was a misunderstanding between whitelisted and blacklisted

  • @Skunkfoot said:

    @avoidy said:
    Hm, any hints for lateral movement?
    Got a shell as d**e, I found some creds aswell, got some interesting ips, yet I am not quite sure how to access those and the password I found does not work with the "DNS + Configurator" server.

    Did I skip anything worth looking at?

    Have you done Poison yet?

    Nope, but I guess I need to do some tunneling to access said "configuration tester"?
    Nevertheless, I will look into it.

    avoidy

  • We can discuss more privately if you'd like ;)

    --Skunkfoot

  • Enumerated more and got a shell! Enum is always the solution....my bad xD

  • I enumerated as far as i think i can go, common.text isnt finding anything after /u****ds/. Im completly stumped from here though. I did some searching and found some documentation on optionsbleed but im not able to get anything to work.

    Opaque

  • @Opaque said:
    I enumerated as far as i think i can go, common.text isnt finding anything after /u****ds/. Im completly stumped from here though. I did some searching and found some documentation on optionsbleed but im not able to get anything to work.

    You might read back through previous posts on here. If you only look for directories you may not always find everything interesting.

  • edited November 2018

    Can anyone pm me pls for initial foothold? Enumerating for hours but not able to find anything.

    Lol. Nevermind. Got 404 for over an hour using the correct folder. Now getting 403

  • @deviate said:

    @Opaque said:
    I enumerated as far as i think i can go, common.text isnt finding anything after /u****ds/. Im completly stumped from here though. I did some searching and found some documentation on optionsbleed but im not able to get anything to work.

    You might read back through previous posts on here. If you only look for directories you may not always find everything interesting.

    i havent just been looking for directories. i have looked for php,txt,and html in all directories that i have gone through.

    Opaque

  • @Opaque said:

    @deviate said:

    @Opaque said:
    I enumerated as far as i think i can go, common.text isnt finding anything after /u****ds/. Im completly stumped from here though. I did some searching and found some documentation on optionsbleed but im not able to get anything to work.

    You might read back through previous posts on here. If you only look for directories you may not always find everything interesting.

    i havent just been looking for directories. i have looked for php,txt,and html in all directories that i have gone through.

    Gotta find the first directory first, or you'll never find anything

    --Skunkfoot

  • @Skunkfoot said:

    @Opaque said:

    @deviate said:

    @Opaque said:
    I enumerated as far as i think i can go, common.text isnt finding anything after /u****ds/. Im completly stumped from here though. I did some searching and found some documentation on optionsbleed but im not able to get anything to work.

    You might read back through previous posts on here. If you only look for directories you may not always find everything interesting.

    i havent just been looking for directories. i have looked for php,txt,and html in all directories that i have gone through.

    Gotta find the first directory first, or you'll never find anything

    i have found the first directory...and the second...and the third... but im not able to find anything in the /u****ds/ folder

    Opaque

  • @Opaque said:

    @Skunkfoot said:

    @Opaque said:

    @deviate said:

    @Opaque said:
    I enumerated as far as i think i can go, common.text isnt finding anything after /u****ds/. Im completly stumped from here though. I did some searching and found some documentation on optionsbleed but im not able to get anything to work.

    You might read back through previous posts on here. If you only look for directories you may not always find everything interesting.

    i havent just been looking for directories. i have looked for php,txt,and html in all directories that i have gone through.

    Gotta find the first directory first, or you'll never find anything

    i have found the first directory...and the second...and the third... but im not able to find anything in the /u****ds/ folder

    Yeah. Basically if you just go back and do what you're saying that you've already done, you'll find what you're looking for. ;)

  • edited November 2018

    @Opaque said:

    @Skunkfoot said:

    @Opaque said:

    @deviate said:

    @Opaque said:
    I enumerated as far as i think i can go, common.text isnt finding anything after /u****ds/. Im completly stumped from here though. I did some searching and found some documentation on optionsbleed but im not able to get anything to work.

    You might read back through previous posts on here. If you only look for directories you may not always find everything interesting.

    i havent just been looking for directories. i have looked for php,txt,and html in all directories that i have gone through.

    Gotta find the first directory first, or you'll never find anything

    i have found the first directory...and the second...and the third... but im not able to find anything in the /u****ds/ folder

    Except the folder you talked about, isn't something else there ? Spoiler Removed - Arrexel

  • @DaChef said:

    @Opaque said:

    @Skunkfoot said:

    @Opaque said:

    @deviate said:

    @Opaque said:
    I enumerated as far as i think i can go, common.text isnt finding anything after /u****ds/. Im completly stumped from here though. I did some searching and found some documentation on optionsbleed but im not able to get anything to work.

    You might read back through previous posts on here. If you only look for directories you may not always find everything interesting.

    i havent just been looking for directories. i have looked for php,txt,and html in all directories that i have gone through.

    Gotta find the first directory first, or you'll never find anything

    i have found the first directory...and the second...and the third... but im not able to find anything in the /u****ds/ folder

    Except the folder you talked about, isn't something else there ? Like a .html file ? ;)

    i finally found it... im an idiot lol

    Opaque

  • this box is killing me. i cant figure out how to get the payload converted. i have tried to just cat the payload files together, and also tried to use fakeimageexploiter...im completely taped on ideas.

    Opaque

  • Any help for tunneling? First tume i tried it worked just like in ippsec p****n video but now it isnt working the webpage just keeps loading forever
  • @Opaque said:
    this box is killing me. i cant figure out how to get the payload converted. i have tried to just cat the payload files together, and also tried to use fakeimageexploiter...im completely taped on ideas.

    Huh? Dude, you're doing too much, do less. Make sure you've enumerated all possible file extensions. You shouldn't need to convert anything or do anything with image files.

    --Skunkfoot

  • Rooted! Really awesome machine
    and I don't see any hints on the page for vault yet so here are few without spoiling it!!
    For user find a place to upload something and then call it to get rev shell, check for listening ports and rest you are smart!
    For root it's very straightforward
    Have a look at logs and you'll find your way in!
    Good luck!

    PsyXsouL

  • edited November 2018

    @PsyXsouL I must be missing something obvious then cause I can't figure out the root part. I'm so close haha

    EDIT: Got it, many thanks to @fjv and @nol0gz

    --Skunkfoot

  • edited November 2018

    I know some people are frustrated, but honestly, this was a really fun machine. It was long and there were a lot of steps, but I learned something new at almost each one. Really cool design, thanks for creating that for us @nol0gz!

    EDITED

    Good luck, and enjoy the machine! When you run out of ideas, take a break, make a cup of tea or grab a beer or something, and come back with a fresh outlook on things.

    --Skunkfoot

  • very, very fun machine

  • I stuck on the shell, how to generate a black/whitelist? i tried different file extensions. but the only working ones are picture extensions. what i am missing?

    SekIsBack

  • @Sekisback said:
    I stuck on the shell, how to generate a black/whitelist? i tried different file extensions. but the only working ones are picture extensions. what i am missing?

    You don't need to generate the lists, only have to figure out what extensions are allowed. Php has different extensions, you should look up File Upload Restrictions Bypass for PHP. I hope this is not a spoiler.

  • edited November 2018

    @SharkBoi13 said:
    You don't need to generate the lists, only have to figure out what extensions are allowed. Php has different extensions, you should look up File Upload Restrictions Bypass for PHP. I hope this is not a spoiler.

    Got it and a shell

    Edit: shell max for 1Minute, not enough time to explore the server. Have to wait for more stability of the box

    SekIsBack

  • Got user, looks like my tunnel did not work for whatever reason, maybe the box was overloaded, but it does now.

    Onto root!

    Thanks @Skunkfoot

    avoidy

  • Ugh, so i just wasted allot of time because someone screwed with the server and the initial site couldn't be found. :angry:
    After a restart all was fine again. I usually restart the server before i start working on it, skipped it this time and this is the thanks i get...

  • Well I am kind of lost at the point where you might use o****** to gain another reverse shell eventually. I already found that one article mentioned by @Skunkfoot. But I cannot manage to get a reverse shell. I guess I am missing something. Is anyone up for discussion?

    C1sc0

  • So it's correct there is no user.txt when I logged in to dv via S*H ?

    Hack The Box

Sign In to comment.