Official Blunder Discussion

17810121321

Comments

  • @tripwire86 said:

    Thanks in advance!

    Your wfuzz syntax is broken. -z isn't for a list of usernames and you've used it twice. You haven't given it a wordlist to FUZZ with.

    For example, if you were looking for image files you might use:

    -w wordlist -u http://example.com/FUZZ.FUZ2Z -z list,gif-jpg

    You also want to make sure you are eliminating some messages or you'll get an insane amount of responses.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Hi first post noob here.

    I've found a hash for h***. I can't seem to crack it with john or hashcat. They just finish immediately. Should I be using a non standard wordlist?

  • Type your comment> @thewetbandit said:

    I've found a hash for h***. I can't seem to crack it with john or hashcat. They just finish immediately. Should I be using a non standard wordlist?

    Hey. I assume that you got the hash from appropriate version of bludit from the initial shell.

    Once you got the hash, i suggest you to analyze the type of hashing used with the below link.
    https://www.tunnelsup.com/hash-analyzer/

    Then use John or Hashcat to perform cracking based on the hash format you got from the above link.
    John/Hashcat will crack it against rockyou.txt.
    You can get the rockyou.txt file in here https://github.com/finnfassnacht/rockyou.txt

    If not worked out, then you can use the below link to crack the hash without mentioning the has format.
    (**Note this link will work only for very commonly used passwords.)
    http://www.hashes.com

    Hope this will help you out.
    ;) Good luck.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Hi,

    I have a problem with msf. After putting in all data also with lhost i get this error:

    [-] Exploit failed: An exploitation error occurred.
    [*] Exploit completed, but no session was created.

    What can i do wrong ?

  • I'm having the same issue as torcher15. I've tried to update kali and metasploit and still getting the same thing.

    [-] Exploit failed: An exploitation error occurred.
    [*] Exploit completed, but no session was created.

  • Type your comment> @Unemployment said:
    > I'm having the same issue as torcher15. I've tried to update kali and metasploit and still getting the same thing.
    >
    > [-] Exploit failed: An exploitation error occurred.
    > [*] Exploit completed, but no session was created.

    For both of you. Try to alter the payload based on exploitation nature. The default module need some tweaks to work perfectly. But there is also a manual way to exploit.
    :smile: Good luck

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • edited June 2020

    @gunroot I tried to do the manual way with the script, but was running into errors on that as well. I'll do some digging to figure out what I'm missing.

  • Definitely enjoyed this box much more than tabby. User was pretty cool and root was very straight forward! Nice job :)

    publicist

  • Need some help with hashcat. PM me pls.

    Tripwire86l

  • Type your comment> @tripwire86 said:
    > Need some help with hashcat. PM me pls.

    Give a glance at all comments in this page. There is an answer for a question similar like yours. :smiley:

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • edited June 2020

    Finally got root after practically losing my mind from rabbit holes.

    There's more than enough information in the thread to help you get your foothold.

    Foothold: It sucks to hear, but if you are stuck with it, think of different way to enumerate using programs you're most likely already using. Thanks to @TazWake for nudging me in the right direction.

    For user: Once again. Just enumerate more.

    Root: This is where I wanna chip in my two cents. If you're having trouble figuring out root, stop overthinking it. The solution is extremely easy. From user, it should take two commands to have root. There was a CVE released last year in relation to the privesc. If you've checked everything already, check what your user is allowed to do, it should look a little suspicious.

    Hope this helps and isn't too much information. PM for a nudge and I'll try to help you out some more.

  • metasploit is not crating session

  • my metasploit not creating session @bashsupremacy

  • @vaultmistry said:

    metasploit is not crating session

    Check your settings and payload.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Kindly help me with this machine i have got stuck, i have found the admin page and how do i move forward, i am not getting anything else! Kindly help!

  • Hi everyone, a request for help!

    I have got initial foothold, which ended up being more of a guess despite hours of attempts at http-post brute force with the required user and wordlist.

    As a learning point, now I have credentials, I have tried to go back to correct the syntax of the http-post request but to no avail (have tried both through Burp and Hydra). I believe it is primarily down to the incorrect defintiion of the failed login message.

    This has affected other instances before, not just Blunder, and I am keen to fix the syntax issue for future. I was wondeing if someone who was sucessful with the http-post brute force may message me the syntax they used. Altenrtaivley id be happy to share the synatx I used for any tips!

    Thanks.

  • @looseygoosey said:

    Hi everyone, a request for help!

    I have got initial foothold, which ended up being more of a guess despite hours of attempts at http-post brute force with the required user and wordlist.

    As a learning point, now I have credentials, I have tried to go back to correct the syntax of the http-post request but to no avail (have tried both through Burp and Hydra). I believe it is primarily down to the incorrect defintiion of the failed login message.

    This has affected other instances before, not just Blunder, and I am keen to fix the syntax issue for future. I was wondeing if someone who was sucessful with the http-post brute force may message me the syntax they used. Altenrtaivley id be happy to share the synatx I used for any tips!

    Thanks.

    This is not a good box for hydra. If you google the technology running it, you might find that it has some mitigations for brute force attacks.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Rooted.

    Foothold was definitely the trickiest part, but it's staring you in the face. No brute forcing or word lists needed, as discussed in previous posts.

    User was super easy, just enumerate.

    Root was also super easy once you locate the right method. Everything you need has already been discussed here.

    Overall, really liked this box - foothold process really accentuated the stupid things that users do. Finding the end exploit was really interesting to find.

  • Initial foothold was a tricky part; PM for help/nudge...

  • Other than foothold, this is one of the easiest boxes I've done. Take your time with enumeration, look closely, but don't look too hard. It may end up being a bit fuzzy. (If you look hard enough, brute-force is absolutely not necessary).

    User: Don't look too hard. Easier than you might expect.

    Root: 5 seconds. Easiest privesc I've seen in a while.

    Very handy box overall. Took around an hour/hour and a half from boot2root.

    Delete if it gives too much away

  • rooted, tq

  • trying to find this apparent username file is sure taking ages, this is what I get for being on free I guess. Have the other part of the puzzle.

  • @btwiusearch said:

    trying to find this apparent username file is sure taking ages, this is what I get for being on free I guess. Have the other part of the puzzle.

    It can be painful but it shouldn't take that long. If you haven't found it in about 10 minutes, it might be worth double-checking your approach logic.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • @TazWake said:

    It can be painful but it shouldn't take that long. If you haven't found it in about 10 minutes, it might be worth double-checking your approach logic.

    Given the fact I've probably gone through a million words trying to find it so far I would probably say yes I should change my approach logic.

  • Ok, so I'm having some issues using M****S*****, I'm getting a [-] Exploit failed: An exploitation error occurred. I've set the user, pass, rhost, rport what am I missing?

  • edited June 2020

    @TazWake said:
    @vaultmistry said:

    metasploit is not crating session

    Check your settings and payload.

    I've read through this whole thread, still can't figure out what I'm doing wrong.
    I made sure my source ip address is correct, using target uri from the documentation, am using the p**/m**********/r********p payload and am getting this response:

    Exploit aborted due to failure: unknown: No tokenCSRF found.

    Can someone point me in the right direction?

  • @SecretLifeform said:

    I've read through this whole thread, still can't figure out what I'm doing wrong.
    I made sure my source ip address is correct, using target uri from the documentation, am using the p**/m**********/r********p payload and am getting this response:

    Exploit aborted due to failure: unknown: No tokenCSRF found.

    Can someone point me in the right direction?

    The problem is as it is, if you take a 5 minute look at the login page you'll see the issue. For whatever reason or not MS isn't either providing it or you just missed out on it. I mean you can always just do it manually :smile:

  • Rooted. ngl the enum was literally just one cmd, but must of dropped requests when I did it originally and went down a rabbit hole. Don't miss anything. You do not need to 'bruteforce' anything if you can read.

    User: 1 v 1 + the rest of the hints in this thread just make sure its the right one
    Root: 5 seconds with the rest of the hints in this thread

  • The more I read that foothold is right in front of the face the more I want to scream :smiley: . If anyone would pm me with a nudge it would be greatly appreciated. Been banging my head on this for hours. Thanks in advance.

  • Can anyone help me get user? I have a hash from u***s.php but I have been unable to crack it. I have used the salt with it to no avail.

Sign In to comment.