Carrier

Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint please!

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint please!

you are in the correct direction but take a look more close in the SN/password

Hello Everyone, this is my first time solving any machine on (carrier) on HTB. so i need your help.
i have found a unique port 161 but it’s not opening on browser. i am trying to enumerating this but no clue…
and i found ‘error_codes.pdf’ file from where i got the clue that password is some serial no, but i also don’t know how to get that…
if anyone can give me hint what to do next?

@ASHacker said:
Hello Everyone, this is my first time solving any machine on (carrier) on HTB. so i need your help.
i have found a unique port 161 but it’s not opening on browser. i am trying to enumerating this but no clue…
and i found ‘error_codes.pdf’ file from where i got the clue that password is some serial no, but i also don’t know how to get that…
if anyone can give me hint what to do next?

You’re looking at the right port, look carefully.

Still stuck trying to understand diags. I am pretty sure I have something to do with c**l and RCE but I don’t know where to go.

Feel free to PM if contains spoilers, thanks

EDIT: Got user, thanks @TheInnocent

Rooted

User was simple - as long as you dont over look simple/obvious things

Root was tough as old boots - BUT everything in this box is a clue to the next step

You WILL need a fairly good knowledge of network protocols for this

Once you have user - make a note of everything you find - it will come in useful later

Thanks to @BoiteAKlou for noticing one letter missing right at the last hurdle

If like me you copy and paste notes - make sure you have copied every character !

@dualfade said:
Can someone confirm they have got this g4y RCE working with curl ? Pretty please… before I loose my ■■■■ mind. Thanks in advance.

PM me if you would. Much appreciated.

Sure, anything that can talk HTTP should work.

@koredump said:

@dualfade said:
Can someone confirm they have got this g4y RCE working with curl ? Pretty please… before I loose my ■■■■ mind. Thanks in advance.

PM me if you would. Much appreciated.

Sure, anything that can talk HTTP should work.

Well I cannot respond to you. Keep’s dropping my PM. Weak sauce hah. Thanks for responding.

Edit. For some reason it is not working w/ curl. Odd. Same payload and all from ZAP / Burp. Boo…

rooted. My hints for this box:

  • for user, don’t stop at the very first nmap scan, use full potential and enumerate every service. Reading everything in the web portal will help. Once inside, try to play with the only interesting parameter you see in burp to obtain a shell

  • for root you don’t have to do much but you’ll have to KNOW much about a certain service. First thing, run enumeration scan, then try to read as much as you can about how things like that work

@ASHacker said:
Hello Everyone, this is my first time solving any machine on (carrier) on HTB. so i need your help.
i have found a unique port 161 but it’s not opening on browser. i am trying to enumerating this but no clue…
and i found ‘error_codes.pdf’ file from where i got the clue that password is some serial no, but i also don’t know how to get that…
if anyone can give me hint what to do next?

Try to google port 161 and you will understand

@nofunofunofun said:

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint please!

you are in the correct direction but take a look more close in the SN/password

Oh, Yes. Thank you so much.

Logged in and now playing with diag, it was returning some output, not it is not returning anything (even with the default encoded q…ga param.

any idea, what could be the problem?
Thanks

EDIT: It works again !

@ZeusBot said:
Guyz im strucked in s**p port enu i got interested result SN******* from that port. any idea. give me some hint?

i just want to know how did you get this result SN****** i tried to google about port 1*1(s**p) but got no clue…

@ASHacker said:

@ZeusBot said:
Guyz im strucked in s**p port enu i got interested result SN******* from that port. any idea. give me some hint?

i just want to know how did you get this result SN****** i tried to google about port 1*1(s**p) but got no clue…

Look at how to enumerate that service

so whats with secretdata.txt ?

@EvilMonkee said:

@ASHacker said:

@ZeusBot said:
Guyz im strucked in s**p port enu i got interested result SN******* from that port. any idea. give me some hint?

i just want to know how did you get this result SN****** i tried to google about port 1*1(s**p) but got no clue…

Look at how to enumerate that service

@EvilMonkee said:

@ASHacker said:

@ZeusBot said:
Guyz im strucked in s**p port enu i got interested result SN******* from that port. any idea. give me some hint?

i just want to know how did you get this result SN****** i tried to google about port 1*1(s**p) but got no clue…

Look at how to enumerate that service

Thank you that was a great help to let me think from other way

I’ve been able to get a reverse shell, although i don’t really understand why i spawned into this machine and not on the web server (maybe i’m in a VM).
I think the next step is to find some info on the server on the subnet which is given in the ticket. However when I log in with ftp, it’s empty. I really don’t know what to do.

@nessaj said:
I’ve been able to get a reverse shell, although i don’t really understand why i spawned into this machine and not on the web server (maybe i’m in a VM).
The web server does not execute the code on its machine. there is a persistent ssh connection from the internal host to the web server, and the web server sends the commands you give it thru the ssh tunnel to this other host.
So your RCE is basically being funneled to another machine

got root…thanks for those who helped me a lot…pm for hints…

Why jrgdiaz is resetting the system???