Postman

12729313233

Comments

  • Type your comment> @wsurfer said:

    hello, found r.... port, logged in, tested with m.....t but no luck, tried to save my i....ey to the a.....keys for the user that already has the p..b key on the machine.
    i see the k...y is writed with lot of "\n", but not abloe to login. any hint, not an expert in redis, found also there is a s.. user.

    ?????? where are you stuck at????

    there is no place like 127.0.0.1
  • edited January 26

    Has anyone got root manually?

    Finally Rooted manually.

  • Rooted! Thanks to jlsangom for the reminder to check for things to edit on files I was using...
    For the foothold I was following guides from two different places and both of them had at least one incorrect instruction. The hardest part was figuring out what commands to follow from each.
    Feel free to PM me if you're getting stuck in the same place :)

  • Rooted! fun box, learned a ton.

    Foothold: the target service can be broken in multiple ways, if one way isn't working then try and find another. Some methods are easier than others.

    User: Just beacuse you don't have the flag doesn't mean you didn't own user.

    root: Don't overcomplicate this one, everything's in front of you. No need to do anything fancy.

    pm for nudges

  • Rooted!
    Low-level shell is the hardest part. Google for vulnerabilities and try to exploit it in manual mode, step by step.
    User: enumerate, find is your friend.
    Root: common CVE, can be easily exploited
    Feel free to DM me, if you need some hints

    t0wb0at

  • Spoiler Removed

  • Rooted. Everything seems to be said in this thread. For hints just PM me

  • Guys, Please, tell me - if it possible to learn smth new or to get any experience if box is reset every fu...ing 3 minute? Why are you doing so? Maybe if smth goes wrong its not the way out to reset and to start it from the beginning? May be its time to sit and to think a bit what am i doing wrong? It's a kind of mess - trying to get fu...ing low-level shell when ping is lost, box is reset, etc...
    P.S. Sorry for emotions - a bit tired of this.

  • edited January 29

    alright im lost yall ive tried all the exploits and saw here that the scripts need to be fixed so ive read them and dont see anythin that stands out i have no experience in C but my python is alright can i get a pm with some direction? i try not to ask for help but im really frustrated

    Edit: rooted good god. i hate it when i finally figure it out and want to punch my own stupid face lmao.

  • I am having issues getting the initial foothold. I found a cve for w***** but I can't seem to get a session created even though the exploit is running. Did anyone else have this issue? Maybe I need to think about it differently?

  • Same. Im frustrated and full of hate. Need initial foothold and tried everything

  • I feel like I've tried everything. I'm try to add s** k** to the correct path using r*-c. I keep getting permission denied and I have spent hours trying to figure out how to enumerate users or directories? Can someone please DM me a hint??

  • can anyone tell me how i gain initial user credential on postman as i am noob. pls help.
  • Rooted!

    Feel free to DM me if you need a hint ;)

    -------- xOkami --------

    xOkamil

  • hey guys!!
    im a noob i need some hints i found the exploit but it seems missing few things if anyone can DM to help me :)

  • Rooted. Also got root and user at the same time. Initial foothold was difficult and required a lot of learning about the service. From there, common CVE, like mentioned in other posts, just make sure to type everything in accurately and think about dumb things users do.

    All in all, it was interesting learning to gain initial foothold without a common tool.

  • Rooted, Fun box!
    Foothold: the door your key is for might not be where you think it is
    User: find the file give it to john
    Root: fedex carries these

  • Rooted!
    Seriously, once you have foothold, just look through everything. You will find something of interest. It is just laying around.

    Hack The Box

  • Hi am Noob i need some hints .. i found exploit, it says system.exec not found. Please help.

  • edited January 31

    did u find r***s.py ?

  • @Nonamex7 said:

    hey guys!!
    im a noob i need some hints i found the exploit but it seems missing few things if anyone can DM to help me :)

    Depends which exploit you've found. If it is one early one which needs credentials, you need to get the credentials.

  • Guys..i get:
    "Connection closed by 10.10.10.160 port 22"
    Do you have any suggestions ? Is it possible that i was blocked by too many attempts ? I did only 3 attempts though..

  • Rather enjoyed this machine thanks to the builders! :smile:

    Hack The Box

  • Hey Hackers. I need a nudge please. I've enumerated and found two ports that look more interesting than the others one runs a service starting with r the other starts with w. I've found a few articles on r that point to creating an authorized_keys file. which seems to work, but when I ssh i'm prompted for a password :( I'm guessing the username is the same r word as the service? I'm pretty confident the users home dir is not in the usual place. Can't figure out where I'm going wrong.... some have mentioned the hackers cookbook has a working example but i don't have that pdf.

    Please DM me if you think you know where i'm going wrong or can offer general guidance.
    Chur

  • edited February 1

    Type your comment> @Destroyervg said:

    Guys..i get:
    "Connection closed by 10.10.10.160 port 22"
    Do you have any suggestions ? Is it possible that i was blocked by too many attempts ? I did only 3 attempts though..

    yeah that happens sometimes keep trying

    karTiK010

  • Type your comment> @marchitect said:

    Hey Hackers. I need a nudge please. I've enumerated and found two ports that look more interesting than the others one runs a service starting with r the other starts with w. I've found a few articles on r that point to creating an authorized_keys file. which seems to work, but when I ssh i'm prompted for a password :( I'm guessing the username is the same r word as the service? I'm pretty confident the users home dir is not in the usual place. Can't figure out where I'm going wrong.... some have mentioned the hackers cookbook has a working example but i don't have that pdf.

    Please DM me if you think you know where i'm going wrong or can offer general guidance.
    Chur

    meh - ingore - i was being super noob and forgot to add a required directory to the path where you'd find an authorized_keys file lololol

  • finally rooted!
    I didn't get Mt's shell. Is there any other ways r***s - Mt - root ?

  • @snowleaf said:

    finally rooted!
    I didn't get Mt's shell. Is there any other ways r***s - Mt - root ?

    The privesc opens the doors for shells, if nothing else you can do it with MSF.

  • I have read hint after hint and cannot seem to gain access to the initial shell using re***. If anyone can PM me that would be great!

  • Hello, i trying use exploit for postman(webmin) but when i have use exploit i have error "

    [*] Started reverse TCP handler on 10.0.2.15:4444 
    [-] Exploit aborted due to failure: unknown: Failed to retrieve session cookie
    [*] Exploit completed, but no session was created.
    

    i use kali on VM, what i do wrong? I tried to do it with the help of burpsuite, but despite the fact that there are a lot of solutions in the net with his help, something does not work for me: D, otherwise using the guide is pointless.

Sign In to comment.