Zipper

@sajkox said:
hi all - my inbox blew out a little bit overnight :slight_smile:
Please note I’m always happy to help but will never give working solutions out - it’s against the rules.
There might be other ways to ‘get in’ but I just said hydra worked for me. Get familiar with what you see as a guest and be creative with your user/pass wordlists - as you should always be if nothing else works. Also don’t go crazy with full rockyou, that would be unnecessary load on the box.

I will try to look at the inbox later - sry busy day and cant just now
GL

That’s what you get for posting a comment with little context haha.
That being said, your follow up comment was perfect, it should be very clear to everyone with out being a big spoil. Thank you for keeping it fair.

Don’t forget everyone, its rare for a creator to overlook something like a guest login, its there for a reason.

@Rantrel said:

@sajkox said:
hi all - my inbox blew out a little bit overnight :slight_smile:
Please note I’m always happy to help but will never give working solutions out - it’s against the rules.
There might be other ways to ‘get in’ but I just said hydra worked for me. Get familiar with what you see as a guest and be creative with your user/pass wordlists - as you should always be if nothing else works. Also don’t go crazy with full rockyou, that would be unnecessary load on the box.

I will try to look at the inbox later - sry busy day and cant just now
GL

Don’t forget everyone, its rare for a creator to overlook something like a guest login, its there for a reason.

THIS.

Pay attention at what you read, the info you need is right there. Also, PrivEsc shouldn’t take more than 10 minutes.

Doing zipper right now, if any one wants to PM me a hint OR leave a msg on the forum.

-At login Page-

I think about an user starting with Z… Just im trying rockyou against hehe.

Unable to execute the exploit, it throws me a ValueError error.

So, just rooted this machine, I really had a lot of fun, thanks to the creator.

Here some hints:

FOR INITIAL FOOTHOLD:

When this machine came out, I saw a difficult of 8 and I tried all esoteric things I can think out. I assumed the machine was hard, so stupid things just cannot works.
I was wrong! Keep things simple: everything is in front of your face.

NOTE: If you are facing problems with Hydra syntax, test it against your local proxy or try xhydra, the GUI version.

FOR USER:

Read the documentation and try to send custom requests until you understood well the app jargon and how each component works.
There are more than one way to do the same thing, and if you doesn’t work, try the other.

FOR ROOT:

Nothing fancy: a very common ‘method’ of privesc, typical in a lot of CTF challenges. Again, keep things simple.

Please lower your hydra threads please, you are DDOS’ing the box by holding all of the database connections.

Is hydra neccesary? Maybe a small list or just guessing.

No hydra is not necessary, and if you want to use it, no need for a big list but a custom one from what you can read on the webapp.

removed

@sajkox said:
I can confirm that hydra was useful for me …

FFS- this is BULLSHIT. Do not bother brute-forcing the admin - it is #POINTLESS.

I’ve seen the password and it isn’t ‘rockyou123’. Google is your friend.

@izzie said:

@sajkox said:
I can confirm that hydra was useful for me …

FFS- this is BULLSHIT. Do not bother brute-forcing the admin - it is #POINTLESS.

I’ve seen the password and it isn’t ‘rockyou123’. Google is your friend.

it is not bs - it was useful for me. You don’t need to use it if you connect the dots and try everything manually.
Nowhere in here it says to brute admin or use rockyou (quite the opposite) so where is this aggro coming from ? Just because you assumed it means something else it doesn’t make sense anymore ?
Would love to hear how google helped you - I owned it now and still can’t find anything using google that would have helped me get through the first stage - feel free to PM me saying what you mean by google friend.

Hi. I was able to guess a username and password, but when I try to log in I see the following message: “GUI access disabled.”.

Can anybody tell me how to bypass this? Thanks!!

GUI isnt the only way to access that.

Any hint for privilege escalation, I’m stuck… I’ve already have a reverse shell :cold_sweat:

I am confused for the MSF module Zabbix as its saying "Unexpected HTTP body (is this really Zabbix?

The Rapid7 code says its looking for a 200 return code, which I can see the server returning in my PCAP.

Initially tried a list of generated user/pass combinations of ~150, and then a list closer to 2000 based on all the view-able content in the pages (and what the starting creds could have been) but no dice. If the creds should be obvious I’m clearly missing something here.

EDIT: I got it - I just wasn’t paying close enough attention to results.

Box was okay i guess; For the starting foothold don’t start using hydra or anything related to cracking any login portal, everything can be guessed over and the exploitation for the reverse shell is easy as it can gets. For the root part well it was a common easy root part user was a lot harder to achieve. TIPS : Take a look as a guest user the hostname and the services you can guess the logins, and use searchsploit zabbix to locate the needed exploit for the reverse. The only think that i disliked was the cron job killing the sessions every now and then.

Got User without using the Exploit, so it looks like there are different Paths.
EDIT: Rooted, great Box even i think there must be better ways then i did it.

■■■ it took me ages to find the foothold, seems like my default approach to discovery sucks - PM me how you guys found it.