Json

1246710

Comments

  • Rooted, Nice Box :)

  • Rooted pretty straight forward box. Pretty much everything is already said in the forum. If someone who did it completely on Kali could PM me on how to do it I would greatly appreciate it :D

    amra13579l

  • edited October 2019

    My jp is erroring out while providing the -c argument. Did anyone had similar issues? How do i fix that? I have everything together I guess.
    I' ve seen that there is an issue on the gitrepo that cover that. It should work fine they said.
    kindly asking for help.

    edit: finally got everything to work. But it was worth the hassle!

    Feel free to ask for a nudge. Just tell me where you are stuck at and what you've tried so far.

    nullorzero

    Would love to help you!
    Answering faster on discord: nullorzero#6975

  • Type your comment> @krypt said:

    I am creating the payload and I have no problems with "formatting" but I can't seem to get past other errors. Tried both of the payloads offered by the tool.

    Edit: The cause of my problem was that I used the tool's encoding function. It doesn't work if I encode the payload that way but weird enough it works if I encode it with Burp. Wat?

    Same happened to me (Wasted a morning :/). The last char doesn't copy when you double click the string to copy it. In Burp you probably selected the string manually.

  • Has anybody wrote a python script to get user shell? I was able to get a shell manually through Burp (I can provide proof)... but I am interested in learning python scripting. I am trying to script this so that I can just run the py and get the shell.

    Did anybody do this and wants to share their code with me? I am struggling on it because I am new to python.

    wiseguy

  • Type your comment> @WiseGuy said:

    Has anybody wrote a python script to get user shell? I was able to get a shell manually through Burp (I can provide proof)... but I am interested in learning python scripting. I am trying to script this so that I can just run the py and get the shell.

    Did anybody do this and wants to share their code with me? I am struggling on it because I am new to python.

    Will DM you

  • edited October 2019

    Hi all i'm stuck at initial foothold:

    • found /a** /a*****t and /a** /t***n
    • found P*******.t*t under /f***s/ (but i don't know if it is useful)
    • found some users in index.html (but i don't know if it is useful)
      but i cannot go on. what I must see but i cannot see? can anyone help me?

    EDIT: got user, now trying privesc

    c4rl3tt0

  • For someone who's completed user: Can you PM and potentially compile for me? I have a WinVM and looks like it runs fine, but get errors with the site d****ing my input. Willing to explain quickly where I am so you know I'm this far... Not sure if it's just my VM

  • Type your comment> @daedalusx said:

    For someone who's completed user: Can you PM and potentially compile for me? I have a WinVM and looks like it runs fine, but get errors with the site d****ing my input. Willing to explain quickly where I am so you know I'm this far... Not sure if it's just my VM

    You do not need a WinVM, these can be craft by hand. When I was sending my payload, it keeps erroring out, and I was not watching my output terminals so I thought it was not working. So watch your return terminal and give it 2-3 minutes to response.

  • Type your comment> @j4v40n654n said:

    Type your comment> @daedalusx said:

    For someone who's completed user: Can you PM and potentially compile for me? I have a WinVM and looks like it runs fine, but get errors with the site d****ing my input. Willing to explain quickly where I am so you know I'm this far... Not sure if it's just my VM

    You do not need a WinVM, these can be craft by hand. When I was sending my payload, it keeps erroring out, and I was not watching my output terminals so I thought it was not working. So watch your return terminal and give it 2-3 minutes to response.

    Yeah, for some reason there must've been some extra characters in my output that was messing up the payload...finally got it working and just finished root :)

  • Did anyone managed to crack the F***z**** S*****.xml salted hash to root the box ? If so, let me know (struggling with the synthax due to the length of the salt).

    Also if anyone have a nudge on how to privesc my way to root, I would be glad to hear it, I'm kinda stuck.

    Thanks !

  • I'm having trouble with the payload, can anyone dm me?

  • Type your comment> @AlPasta said:

    Did anyone managed to crack the F***z**** S*****.xml salted hash to root the box ? If so, let me know (struggling with the synthax due to the length of the salt).

    Also if anyone have a nudge on how to privesc my way to root, I would be glad to hear it, I'm kinda stuck.

    Thanks !

    hc wont work with that salt, you can use jtr. However, I don't think that's the way for privesc.

  • edited October 2019

    .

  • I think I'm a bit lost on:

    • how to choose the payload among all the options
    • how to pass it to the target
      I got a general idea of what should be done but I'm failing to understand how people can get rce so easily

    halfluke

  • Check the format the message you're using and you will reduce a lot the possibilities.
    Check the version of asp.net running and you'll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
    I'd never before use it but its amazing to see it works (and how).

    There are good readings following the tool repo.
    Very nice step in.
    :-)
  • Type your comment> @dlh61 said:

    Check the format the message you're using and you will reduce a lot the possibilities.
    Check the version of asp.net running and you'll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
    I'd never before use it but its amazing to see it works (and how).

    There are good readings following the tool repo.
    Very nice step in.
    :-)

    Thank you.
    I'm having issues using powershell: I cannot connect back to my machine, not sure why.
    I can download from my machine in a different way but I haven't tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

    halfluke

  • Type your comment> @halfluke said:

    Type your comment> @dlh61 said:

    Check the format the message you're using and you will reduce a lot the possibilities.
    Check the version of asp.net running and you'll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
    I'd never before use it but its amazing to see it works (and how).

    There are good readings following the tool repo.
    Very nice step in.
    :-)

    Thank you.
    I'm having issues using powershell: I cannot connect back to my machine, not sure why.
    I can download from my machine in a different way but I haven't tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

    location, location, location...

  • Type your comment> @j4v40n654n said:

    Type your comment> @halfluke said:

    Type your comment> @dlh61 said:

    Check the format the message you're using and you will reduce a lot the possibilities.
    Check the version of asp.net running and you'll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
    I'd never before use it but its amazing to see it works (and how).

    There are good readings following the tool repo.
    Very nice step in.
    :-)

    Thank you.
    I'm having issues using powershell: I cannot connect back to my machine, not sure why.
    I can download from my machine in a different way but I haven't tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

    location, location

    got it directly in memory. Decently painful, lol

    halfluke

  • Great!
    You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available.

  • Type your comment> @dlh61 said:

    Great!
    You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available.

    I started with a ping but from a ping to a shell there is a long way.
    It also all depends on what protection is activated on the target and how you can bypass it, if an AV prevents you from writing to disk and execute, etc. Not sure in this case as I do not have full access to the machine yet. Overall every box here is a great learning experience. D**********n is a tough topic for me as I don't know/like java or .net

    halfluke

  • Nice box, I wasn't familiar with the involved technologies and took me more than I expected, and that's the way to learn.

    Uvemode
    OSCP | eCPPT |

  • Great!
    You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available. > @halfluke said:
    > Type your comment> @dlh61 said:
    >
    > (Quote)
    > I started with a ping but from a ping to a shell there is a long way.
    > It also all depends on what protection is activated on the target and how you can bypass it, if an AV prevents you from writing to disk and execute, etc. Not sure in this case as I do not have full access to the machine yet. Overall every box here is a great learning experience. D**********n is a tough topic for me as I don't know/like java or .net

    You can try a 2 step movement such as putting in some common writable place a common tool for next getting a rev shell back to you! ;)
    Great work BTW.
  • edited October 2019

    This server is horrible slow

    And finally I get a super fast, and all worked like a charm

    rooted.

    PM for nugets

  • edited October 2019

    Almost there i think but struggling with the final step with the vegetable, any one else get "Failed to start HTTP server" errors with this and have any pointers ?
    Believe I know the reason why (port is in use) but not how to get around it.. PS version looks to have a work around but can't get the PS module to run .. :(

    edit: got there, over thinking it as ever

  • I don't understand: I get in the website using the "maybetoomuchsimple" credentials... Is that a honeypot? Because those creds are apparently unuseful...

    BadRain

  • edited October 2019

    -

    BadRain

  • Type your comment> @BadRain said:

    I don't understand: I get in the website using the "maybetoomuchsimple" credentials... Is that a honeypot? Because those creds are apparently unuseful...

    In the right place, keep looking at the requests and responses as you browse the site.. remember the name of the box also..

  • edited October 2019

    Ok, I give ... I am able to log in and I know where I need to aim my attack, but I am not having much luck with the POC tool. One of the payloads keeps giving me an error, and I could really use some help getting it to run through cleanly and verifying where I am aiming, etc. If anyone can give me some guidance, I would really appreciate it. Please DM me and I can show what I have and what errors I am getting.

    **Edit: thought I had it, but I guess I don't ... any help would still be appreciated!

  • edited October 2019

    And that's ok. it'd be nice to discover a way to exploit those infirmations :P

    Edit: got user , going for root...

    BadRain

Sign In to comment.