Carrier

just captured F*p creds what to do now hint please…?

@sakyb said:
just captured F*p creds what to do now hint please…?

If they are the ones I think they are, log in with them.

@TazWake said:
@sakyb said:
just captured F*p creds what to do now hint please…?

If they are the ones I think they are, log in with them.

Login where???

@sakyb said:

Login where???

I’d try one of the places your initial enumeration identified.

User was interesting… once you know which port to look at it’s relatively straight forward. If anyone wants to help with user drop me a message…
Onto root!

Did the SN and webapp login, found something in diags but actually stuck right there…
As a network rookie, any hints are welcome :anguished:

Thanks !

@nickxla said:
Did the SN and webapp login, found something in diags but actually stuck right there…
As a network rookie, any hints are welcome :anguished:

Thanks !

sometimes U need encoded

Can someone confirm they have got this g4y RCE working with curl ? Pretty please… before I loose my ■■■■ mind. Thanks in advance.

PM me if you would. Much appreciated.

Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint please!

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint please!

you are in the correct direction but take a look more close in the SN/password

Hello Everyone, this is my first time solving any machine on (carrier) on HTB. so i need your help.
i have found a unique port 161 but it’s not opening on browser. i am trying to enumerating this but no clue…
and i found ‘error_codes.pdf’ file from where i got the clue that password is some serial no, but i also don’t know how to get that…
if anyone can give me hint what to do next?

@ASHacker said:
Hello Everyone, this is my first time solving any machine on (carrier) on HTB. so i need your help.
i have found a unique port 161 but it’s not opening on browser. i am trying to enumerating this but no clue…
and i found ‘error_codes.pdf’ file from where i got the clue that password is some serial no, but i also don’t know how to get that…
if anyone can give me hint what to do next?

You’re looking at the right port, look carefully.

Still stuck trying to understand diags. I am pretty sure I have something to do with c**l and RCE but I don’t know where to go.

Feel free to PM if contains spoilers, thanks

EDIT: Got user, thanks @TheInnocent

Rooted

User was simple - as long as you dont over look simple/obvious things

Root was tough as old boots - BUT everything in this box is a clue to the next step

You WILL need a fairly good knowledge of network protocols for this

Once you have user - make a note of everything you find - it will come in useful later

Thanks to @BoiteAKlou for noticing one letter missing right at the last hurdle

If like me you copy and paste notes - make sure you have copied every character !

@dualfade said:
Can someone confirm they have got this g4y RCE working with curl ? Pretty please… before I loose my ■■■■ mind. Thanks in advance.

PM me if you would. Much appreciated.

Sure, anything that can talk HTTP should work.

@koredump said:

@dualfade said:
Can someone confirm they have got this g4y RCE working with curl ? Pretty please… before I loose my ■■■■ mind. Thanks in advance.

PM me if you would. Much appreciated.

Sure, anything that can talk HTTP should work.

Well I cannot respond to you. Keep’s dropping my PM. Weak sauce hah. Thanks for responding.

Edit. For some reason it is not working w/ curl. Odd. Same payload and all from ZAP / Burp. Boo…

rooted. My hints for this box:

  • for user, don’t stop at the very first nmap scan, use full potential and enumerate every service. Reading everything in the web portal will help. Once inside, try to play with the only interesting parameter you see in burp to obtain a shell

  • for root you don’t have to do much but you’ll have to KNOW much about a certain service. First thing, run enumeration scan, then try to read as much as you can about how things like that work

@ASHacker said:
Hello Everyone, this is my first time solving any machine on (carrier) on HTB. so i need your help.
i have found a unique port 161 but it’s not opening on browser. i am trying to enumerating this but no clue…
and i found ‘error_codes.pdf’ file from where i got the clue that password is some serial no, but i also don’t know how to get that…
if anyone can give me hint what to do next?

Try to google port 161 and you will understand

@nofunofunofun said:

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint please!

you are in the correct direction but take a look more close in the SN/password

Oh, Yes. Thank you so much.

Logged in and now playing with diag, it was returning some output, not it is not returning anything (even with the default encoded q…ga param.

any idea, what could be the problem?
Thanks

EDIT: It works again !