Travel

12346»

Comments

  • Wow, what a ride! I can't remember when I started it!! But it was a great learning experience.
    I guess I'm too late now to post my 2cents about it.
    I agree with @TazWake (unless you're one of the 'Gods' that rated the box as easy).

  • Hi !!! , some help over here ... Im thinking that the vulnerability is around XML-RCENSURED but I tried many list with WPScan and nothing worked ... should I look to another way ? any advisor :) ...

  • @H4FN said:

    Hi !!! , some help over here ...

    So first a reminder that the box retires on Saturday.

    You need to enumerate more. You need to find the non-production thing and enumerate that. Find the thing which is trying to be hidden and dump that. Read it. Find the vulnerabilities in its and work out a way to exploit them. This is really challenging.

    That will get you a foothold. From there enumerate, find loot, use loot. Enumerate. Find loot, use loot, privesc.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited September 10

    Type your comment> @TazWake said:

    @H4FN said:

    Hi !!! , some help over here ...

    So first a reminder that the box retires on Saturday.

    You need to enumerate more. You need to find the non-production thing and

    OOOhhh I didn´t know that bro ... where can I know all the machines that will be retired ?
    Currently I have B%/&. and B&(/&-*** enumeration all this and some RSS, I tried XMLRFC and also I found a vulnerability for nginx but not any exploit yet available :S i do not have access to *** I´m trying all that I can see ...

  • Type your comment> @H4FN said:

    > OOOhhh I didn´t know that bro ... where can I know all the machines that will be retired ?

    In the Machine's side (left) column in HTB page, you can see 'unreleased (1)', click it to reveal what old machine will be replaced by the new machine. This week Travel is retiring and Compromised coming the way in.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • @H4FN said:

    i do not have access to *** I´m trying all that I can see ...

    You can try fuzzing with various wordlists.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @gunroot said:

    Type your comment> @H4FN said:

    OOOhhh I didn´t know that bro ... where can I know all the machines that will be retired ?

    In the Machine's side (left) column in HTB page, you can see 'unreleased (1)', click it to reveal what old machine will be replaced by the new machine. This week Travel is retiring and Compromised coming the way in.

    Roger that !!... I only saw Release Arena ! ... thanks bro !

  • edited September 10

    Type your comment> @TazWake said:

    @H4FN said:

    i do not have access to *** I´m trying all that I can see ...

    You can try fuzzing with various wordlists.

    Any tip with ******** ? o RSS ... I will other list to dev its all that I can see till today !!

  • @H4FN said:

    Any tip with ******** ? o RSS ... I will other list to dev its all that I can see till today !!

    Google for the the name and dumper, you can find a tool which will extract it all to your machine. Then you can look at the source code.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    @H4FN said:

    Any tip with ******** ? o RSS ... I will other list to dev its all that I can see till today !!

    Google for the the name and dumper, you can find a tool which will extract it all to your machine. Then you can look at the source code.

    I don't know how far I have advanced, but I will take a look into those files !! :O ... some zlib too I´m not sure !! but I like it !!

  • @H4FN said:

    I don't know how far I have advanced, but I will take a look into those files !! :O ... some zlib too I´m not sure !! but I like it !!

    There is a lot to process in the files but they (if you include the files they reference) do actually cover everything needed for the foothold. It's just really hard to work out - running trial and error bits helps a lot but can take a long time.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited September 10

    GOT ROOT an awesome box by dev

  • Type your comment> @TazWake said:

    @H4FN said:

    I don't know how far I have advanced, but I will take a look into those files !! :O ... some zlib too I´m not sure !! but I like it !!

    There is a lot to process in the files but they (if you include the files they reference) do actually cover everything needed for the foothold. It's just really hard to work out - running trial and error bits helps a lot but can take a long time.

    I did all my research and all looks like i need to do something with Mem-----d but all is going to a DDos and UDP spoofing ... I´m here becase I got mixup Admirer IP with this LOL :!!

  • @H4FN said:

    I did all my research and all looks like i need to do something with Mem-----d but all is going to a DDos and UDP spoofing

    There are lots of ways to attack that service rather than use ExploitDB to find a vuln. In this instance you aren't attacking it, you are using it.

    It really is just a part of the attack here - you need to give it something it is looking for so everything else can work.

    There are other parts of the files which are much, much more important.

    ... I´m here becase I got mixup Admirer IP with this LOL :!!

    Lol, fun times!

    It is a good box. It is just super hard and really time-consuming if you dont already understand the way the attack works. The attack is "known" but it isn't seen very often on CTFs.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    @H4FN said:

    I did all my research and all looks like i need to do something with Mem-----d but all is going to a DDos and UDP spoofing

    There are lots of ways to attack that service rather than use ExploitDB to find a vuln. In this instance you aren't attacking it, you are using it.

    It really is just a part of the attack here - you need to give it something it is looking for so everything else can work.

    There are other parts of the files which are much, much more important.

    I tried a lot of tools but nothing could hit the port, I will wait for a writeup to understand where I was stuck and learn next steps ! I tried but I´m new on CTF challenges and this was my first Hard CTF !! .
    As alway thanks brother for all the support I learned new things with this box with only tw0 days :)

  • @H4FN said:

    Type your comment> @TazWake said:

    @H4FN said:

    I did all my research and all looks like i need to do something with Mem-----d but all is going to a DDos and UDP spoofing

    There are lots of ways to attack that service rather than use ExploitDB to find a vuln. In this instance you aren't attacking it, you are using it.

    It really is just a part of the attack here - you need to give it something it is looking for so everything else can work.

    There are other parts of the files which are much, much more important.

    I tried a lot of tools but nothing could hit the port, I will wait for a writeup to understand where I was stuck and learn next steps ! I tried but I´m new on CTF challenges and this was my first Hard CTF !! .
    As alway thanks brother for all the support I learned new things with this box with only tw0 days :)

    Ok - it wont be long now anyway.

    In a nutshell, if you read the code its possible to identify a way to inject stuff which can make a request on your behalf. With some effort this can be used to bypass a control and send data to a system which opens the door to further exploitation.

    It is one of the hardest footholds I've seen in a long time.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    @H4FN said:

    Ok - it wont be long now anyway.

    In a nutshell, if you read the code its possible to identify a way to inject stuff which can make a request on your behalf. With some effort this can be used to bypass a control and send data to a system which opens the door to further exploitation.

    It is one of the hardest footholds I've seen in a long time.

    I´m not sure about it but I guess I saw that part into the code after URL validations with the curl to the URL but I could not figured out how to exploit it I need to keep reading and practicing :)

  • @H4FN
    Buddy. All you need is to study the source code and a tons of googling.
    If you're trying to do the box before it's retiring, I'm glad to help you.

    https://vkili.github.io/blog/ssrf/ssrf-in-the-wild/

    Read this article and also read the internal links also. It will help you to understand how internal SSRF can be launched.

    PM if you need more hints/pointers. :)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • @H4FN said:

    I´m not sure about it but I guess I saw that part into the code after URL validations with the curl to the URL but I could not figured out how to exploit it I need to keep reading and practicing :)

    I'd strongly recommend working through Myrtle's write up of this box. It is really good.

    https://forum.hackthebox.eu/discussion/3826/travel-write-up-by-myrtle

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    @H4FN said:

    I´m not sure about it but I guess I saw that part into the code after URL validations with the curl to the URL but I could not figured out how to exploit it I need to keep reading and practicing :)

    I'd strongly recommend working through Myrtle's write up of this box. It is really good.

    https://forum.hackthebox.eu/discussion/3826/travel-write-up-by-myrtle

    hahaha and I was thinking only on the SimplePie, Memcache and the Debug php ... I have to many new information to process !!
    I'm trying to start growing new skills as a security guy coming from a simple software developer guy but alway it is like ... DAM I only know that I don't know anything ...

    Thanks a lot to both guys @gunroot .

  • @H4FN .. just like @TazWake said. I'm also suggesting everyone to go through Myrtle's write-up. Mam's write-up is bleeding edge on explaining nook and corners of the box. :)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • @H4FN said:

    security guy coming from a simple software developer guy but alway it is like ... DAM I only know that I don't know anything ...

    Don't judge yourself based on this box. It had one of the hardest footholds I've seen in a long time.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    @H4FN said:

    security guy coming from a simple software developer guy but alway it is like ... DAM I only know that I don't know anything ...

    Don't judge yourself based on this box. It had one of the hardest footholds I've seen in a long time.

    I'm back after my depression with this box hahaha !! I will continue this week with other boxes :) good to know that it was one of the hardest and I tried it without success but its part of keep learning

Sign In to comment.