Carrier

Hello someone have a hint after the login to the admin web page ? . I want to get user access on the machine but the password is not the same when I try ssh connection . Help me please , i’m stuck for hours ^^

@sekeita

@GreysMatter said:
@sekeita

There is one page that stands out from the others … perhaps burp would show something interesting

Spoiler Removed - egre55

.

Having trouble with the initial user flag. Found 1*1 and what should be the webapp username, but I don’t know where to go from here. PM please?

Anyone available for some tips about RCE? I know I’m looking at the right thing, but I think I need to learn a bit more about different ways to execute it… Thanks!

Anyone willing to help me on the root part of Carrier . I know what to do, but lacking the knowledge to get the right syntax.

Struggling with syntax on webapp to get rev shell. I can read some info back already…
Help pleasss

@cbx said:
Struggling with syntax on webapp to get rev shell. I can read some info back already…
Help pleasss

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

@CesarSilence said:

@cbx said:
Struggling with syntax on webapp to get rev shell. I can read some info back already…
Help pleasss

Reverse Shell Cheat Sheet | pentestmonkey

PM me dude

got root thanks to the tremendous help of @jkr

I got RCE and spent the past 24 hrs hammering away at this with all my network-fu , I thought I had the plumbing all sorted out but I’m starting to think that is not the way to go on this . I’m trying not to be disruptive so have been very subtle with “engineering” as if this was a production environment , can someone PM me / give me a nudge to confirm that a more aggressive approach is the right way to ‘hijack’ the root flag on this box ?

Have been stuck on priv-esc for so long. I had quite some days of researching. I believe I have a correct map of the environment, have some traffic in my hand, but this type of challenge is still very new to me. Some help would be greatly appreciated.

Got the root :slight_smile:

Got root. Thanks to the dudes who helped me out there. Great box

@blueorchid said:
Have been stuck on priv-esc for so long. I had quite some days of researching. I believe I have a correct map of the environment, have some traffic in my hand, but this type of challenge is still very new to me. Some help would be greatly appreciated.

Which part are you struggling with? Feel free to PM me.

Got Root , twice actually because my VM crashed as I was pasting to claim owning system. Thanks to @s4m3sh for confirming my suspicion , I still did it subtly though :wink:

The box is not hard , doesn’t need a network expert but does require some understanding of networking concepts. It is a fun setup however I have strong doubts that this would work in a production environment.

I would recommend that people attempting this box take the opportunity to learn how and why it works instead of just rushing it as even thought the networking part wasn’t too hard for me , I still learnt to use quite a few tools in ways I hadn’t tried before.

Hey can anyone give a hint as how to grab the initial foothold … i did enumerate the so called UDP port and used various scripts … all i know is that pu**** exists and found and OID with value which looks likes a password to me … what do to now … tried every possible combination on the main web page… but no use !!! Anyone here that can help me ??? :confused:

@Puru said:
Hey can anyone give a hint as how to grab the initial foothold … i did enumerate the so called UDP port and used various scripts … all i know is that pu**** exists and found and OID with value which looks likes a password to me … what do to now … tried every possible combination on the main web page… but no use !!! Anyone here that can help me ??? :confused:

Try to enumerate more the service you’re trying to log in to, see if you can find the information you need elsewhere. It will be quite clear.