Vault

Is the login page a rabbit hole? and should I be brute forcing it?

@codo said:
Is the login page a rabbit hole? and should I be brute forcing it?

Maybe and no. Continue your enumeration.

Tip: If you’re using gobuster enable the following file extensions:php,txt,html with the -x flag.

And as @0x29A said, common.txt from seclists is enough

I have a shell. Does anyone have any hints for finding/getting to the user.txt?

Thx Skunkfoot and fjv, i got shell now

@fjv I actually tried it with the extensions + directory 2.3 medium. I will try again with common.txt

Nope nothing… Maybe I oversee something, but I have no clue how to continue

@NicoF2000 said:
Nope nothing… Maybe I oversee something, but I have no clue how to continue

Hmm, I am in the same boat as you.
The only 200 that came back was for index.php…

@avoidy said:

Hmm, I am in the same boat as you.
The only 200 that came back was for index.php…

Same here

i’m stuck on that op***** config :confused:

Spoiler Removed - egre55

the initial page gives pretty good hint about how to use gobuster

Hey Dave, do not know the user.txt ?? can someone PM me how can I find it???

@agnarus said:
Hey Dave, do not know the user.txt ?? can someone PM me how can I find it???

on the same boat. Not sure how to proceed from dave to find user.txt

@gudj4qu3r said:
@shadow2Xx, @avoidy and @NicoF2000 maybe you need to get one word from the initial page and do something with it … If i’m spoiling too much please delete it!

Perfect hint mate. Thanks a lot.

@axle05 said:

@agnarus said:
Hey Dave, do not know the user.txt ?? can someone PM me how can I find it???

on the same boat. Not sure how to proceed from dave to find user.txt

Maybe you are in the wrong place

I don’t know how to approach the login page…i tried bruteforcing, sql injection…nothing worked! Any hints ?

Guys, just like almost every other box, no bruteforcing is required at all. If that’s what you’ve resorted to because you can’t find anything else (I know I did), you probably need to enumerate more.

@Skunkfoot said:
Guys, just like almost every other box, no bruteforcing is required at all. If that’s what you’ve resorted to because you can’t find anything else (I know I did), you probably need to enumerate more.

Ok thnx :wink: Brute is my last resort…i’m just stuck :expressionless:

You have to guess the first folder before running gobuster… then keep enumerating until you find something really exploitable.

Deeper