Oz

Finally managed to find something but still after that getting a shell or atleast RCE doesn’t work I am missing modules or compiled my code incorrectly

i have same issue for priv esc, port forward but still nothing, could someone pm me ?

@dmcxblue said:
Need help for initial any hints much appreciated!

Me too :frowning:

EDIT: Got it

Edit: Never mind. Solved that issue thanks to @dmcxblue

I was able to enumerate and crack but i’m stucked to get the rce, any help ?

@pup said:
Can I PM anybody about privesc? always get JSON.parse: unexpected character at line 1 column 2 of the JSON data

EDIT: If someone got the same error, just use chrome…

Thank you @pup!!, ■■■■ firefox!! the web ui unable to show anything! – 2 days wasted!

Edit: Never mind. Just cracked one of them. If anyone needs advice about converting them to a format hashcat can understand, PM me.

Stuck on escalation and would appreciate a hint. I have port forwarding setup, but can’t figure out how to get in. Attempting to crack hashes from the .db file. They seem uncrackable.

@opt1kz said:
Stuck on escalation and would appreciate a hint. I have port forwarding setup, but can’t figure out how to get in. Attempting to crack hashes from the .db file. They seem uncrackable.

No cracking required. Go google the item’s HTTP api readme

Many of the first steps weren’t very welcoming though and the odd 200 responses maybe were not so “realistic” either, whatever realistic even means. Anyway, I still think this was a fun box, thank you @incidrthreat and @Mumbai , I learned lots of new tricks and burp-fu. Root privesc was fun :slight_smile:

nvm. rooted

Need some hint for initial foothold

this box boiled my brain. and it feels good, hehe. cuz i finally got root.
on initial foothold - user input is the key, guys.
privesc is much much easier.
thank you, @incidrthreat and @Mumbai

Could it be that some serious cracking is required to get a foothold? Am I using the wrong wordlist?
I’m not sure if should torture my poor CPU that much … PMs are welcome.

EDIT: cracked one of the hashes which took a few hours without a GPU. Thanks to @AmiToLotto for the hint.

Hi all.
I have user, and I think I know what to do for the last bit. I have one question about access to a certain port - what I usually do doesn’t work here. I would be grateful for a pm so I can ask a question without spoiling here

Just rooted it, very fun machine, congrats to the creator.

Rooted! This was a GREAT learning experience. So many different things to do

For those who have problems with web server enumeration because of random answers, i can recommend wfuzz. It provides loads of options for filtering web server responses.

E.g. the following command fuzzez the target with data from the wordlist and hides all responses with http status code 400 or those that contain only digits (specified by a regular expression).

wfuzz --hc 400 --hs '^[0-9]+$' -w wordlist.txt 'http://target/FUZZ'

Documentation for the tool can be found here:
https://wfuzz.readthedocs.io/en/latest/

I’m stuck getting user. I can read files (at least 2 interesting ones found) and am able to log into a web app after cracking hashes. After reading about several auth mechanisms and trying several other things i’m out of ideas. I guess i overlooked something.

It would be great if one of you could give me a hint on how to continue. PMs are welcome. This post is a bit vague because i don’t want to spoil.

Does everyone find this box too easy to need to ask questions on or too hard to try :smile: