Rabbit

The machine has quite a few "rabbit holes". I have enumerated the machine quite heavily and have found several things that would like me to log in, but I haven't been able to guess or find any sort of credentials to any of them.

Based on their versions, none of these "holes" seems to be suspectible to direct exploits without authentication.

I'm beginning to think that perhaps I'm missing something crucial here, but I have no idea what it might be. I would greatly appreciate if someone could give me some guidance towards the initial step. Should I continue dirbustering to find some credentials or should I try harder to bruteforce the login?

(I don't want to list all the things I have found as that would count as a spoiler)

lokori

«13

Comments

  • The best thing I can say, to you without spoiling it for you would be to enumerate everything that is a web server :) I hope this doesn't spoil anything

  • better use gobuster, i avoid dirbuster

    peek

  • @peek said:
    better use gobuster, i avoid dirbuster

    agreed :)

  • edited April 2018

    Who you gonna call? Gobusters! Here's some gobustering in case someone else has difficulties on this machine or some other machine: https://gist.github.com/lokori/17a604cad15e30ddae932050bbcc42f9

    (Most likely I made some mistake earlier when I did this manually.)

    (Script mentions directory SecLists, which is something I added to Kali from GitHub. Contains additional wordlists and other useful lists for pentest purposes.)

    lokori

  • @Malkinowns71 said:
    The best thing I can say, to you without spoiling it for you would be to enumerate everything that is a web server :) I hope this doesn't spoil anything

    There is indeed something vulnerable. I can even logon, but do not have enough privileges to exploit. Hmmm ...

    m4rc1n

  • i managed to get 3 working user credentials, i have tried various techniques :( but failed to go any further, could someone give me a hint to proceed further

  • So I think found what I need to find from 'bustering. Now I have two different account hashes that should be useful but haven't been able to crack. They are both different hash types as well. I also have about 10 other accounts with an easier to crack hash and managed to crack three of them, but can't figure out where they accounts work. I still don't have any type of shell or RCE, so maybe they can be used later. Should I keep trying to crack these or did I miss something important?

    Thanks for the gobuster comments, didn't know it existed but it's quite nice compared to the alternatives.

    Excidium

  • @excidium we are on the same boat :tired_face:
    could someone give a hint to proceed ..

  • The two more difficult hashes might be uncrackable. The 10 easier ones should be useful, or at least some of them are useful.

    I'm struggling with a certain payload I have in my hands. My payload is in a way "accepted" by a certain system and looks actually very similar to other payloads I have acccidentally seen there, but for some reason it doesn't have any effect. So maybe it's not executed or maybe I have missed something about this.

    Very humiliating experience this has been so far to me :cold_sweat:

    lokori

  • @lokori said:
    Who you gonna call? Gobusters! Here's some gobustering in case someone else has difficulties on this machine or some other machine: https://gist.github.com/lokori/17a604cad15e30ddae932050bbcc42f9

    About to start enumerating this machine and after I saw your post decided to modify your script so works in any GNU/Linux, I am personally using blackarch as my main desktop so the path to the files is diff such why the variables and array.
    https://gist.github.com/ReK2Fernandez/fe49a07d096aff95c17572d9ea170ab1

    Hack The Box

  • Since that post I have also added -l option to Dirbuster so that I get the length of server response in addition to HTTP status. Sometimes the length makes all the difference to find the interesting one compared to "normal".

    lokori

  • so far I found something interesting among all the rabbits and fake vulns :) not sure if is the right thing yet but was able to create a certain account and then modify certain things to change privileges. will continue tomorrow need to work in a couple hours. cheers. @lokori yeah the one I usually use have a couple more options as well.

    Hack The Box

  • edited May 2018

  • Any nudge towards priv esc ?

  • There is access to the correct interface (I guess), there is even a clue given, what to do next. There are even exploits (I tried two so far) which should potentially work and ... nothing, no shell so far. What am I doing wrong?

    m4rc1n

  • edited May 2018

    Yeah been poking around this box and found a few rabbit holes. Is someone around to help steer me in the right direction? Been enumerating and testing for vulns for several days. Not sure what is left to test.

  • so far i found 3 apps (o, j, c) . Atm it looks like all of them are rabbit holes. Is one of them the door in or do I need to do more enumeration. PM appreciated, thanks.

  • I have access to two of them (probably even to all, did not check yet everything) a number of hashes and ... still trying figure out where is the way to getting the user. Really iritating.

    m4rc1n

  • edited May 2018

    @gash said:
    so far i found 3 apps (o, j, c) . Atm it looks like all of them are rabbit holes. Is one of them the door in or do I need to do more enumeration. PM appreciated, thanks.

    Maybe one of them is the door maybe or not. Just try to exploit every single endpoint you detected. If you do not do, you will never know it is the door or not. Try Harder !!

    @macw141 said:
    I have access to two of them (probably even to all, did not check yet everything) a number of hashes and ... still trying figure out where is the way to getting the user. Really iritating.

    Read carefully every piece of information you had during attack the box. After you realize what you need to do, try make it work on your own system.

  • ok several username and passwords/hashes. Anyone knows if they are useful or just a rabbit hole?

  • @securityNinja said:
    ok several username and passwords/hashes. Anyone knows if they are useful or just a rabbit hole?

    you need to try them in order to know

  • Anyone up for a hint on prives for RABBIT? I tried several thing so far but no luck. Please PM, thx

  • @gash said:
    Anyone up for a hint on prives for RABBIT? I tried several thing so far but no luck. Please PM, thx

    prives is just there -;)

    m4rc1n

  • Guys can I pm someone on rabbit? i know how to get the shell but seems dosen't work. I just want to know if my commands are ok..

  • i can receive ping back from the Rabbit machine but not shell is getting back. Could i pm anyone?

  • WTF with that box ?

    I probably have sent about hundred documents and all I got so far is an unbreakable NTLM hash.

    I tried every possible techniques and they all work on my VM with the same AV that the one from Rabbit running, getting me a shell everytime.

    Such a pain...

  • Finally got system.

    To sum it up: directly reset the box before sending a doc then wait 7 minutes to see if it works.

    Tips:

    the installed Office software is not the one announced but very close... Is there technical differences between the both ? I can't say but it may explain some things.

    Just act like there is no AV on the system... I mean the doc I used to get shell was definitively blocked on my box with the AV announced but if worked on Rabbit. If one doc doesn't work on Rabbit just try another method.

  • @devloop i'm stuck also with the uncrackable hash, i would appreciate a nudge in the right direction, i feel so close, i tried a lot of document combos... thanks and great challenge!!!

  • Could someone PM me about the initial foothold. I have been trying different payloads with no luck, they work when tested locally then fail when I send them.

  • is gobuster required for this one?
    i see people mentioning obtaining hashes by enumerating directories..
    but i have only found 2 services on web servers ( ow, and jo)
    but i cant move any further

Sign In to comment.