Mantis Creds

I found some creds for this box that are suppose to be for a particular account but when I tried them they didn’t work. They do work with another user. Is that suppose to be like that?

are you sure you are searching for same box and not the other box where u submitted and it accepted

@subz3r0 said:
are you sure you are searching for same box and not the other box where u submitted and it accepted

what do you mean by the same box?

@m3g4n00b said:
I found some creds for this box that are suppose to be for a particular account but when I tried them they didn’t work. They do work with another user. Is that suppose to be like that?

Sometimes “admin” with a certain password on one service is not the same username (admin) on a different service, using the same password. For instance, Blocky. The password for the admin account on WordPress (or was it phpmyadmin, dont remember exactly) was the same as the user password for the user’s account itself - it might be working as intended. I’d have to look at my notes for Mantis to recall exactly, but sometimes its set up that way… If that makes sense…?

@likwidsec said:

@m3g4n00b said:
I found some creds for this box that are suppose to be for a particular account but when I tried them they didn’t work. They do work with another user. Is that suppose to be like that?

Sometimes “admin” with a certain password on one service is not the same username (admin) on a different service, using the same password. For instance, Blocky. The password for the admin account on WordPress (or was it phpmyadmin, dont remember exactly) was the same as the user password for the user’s account itself - it might be working as intended. I’d have to look at my notes for Mantis to recall exactly, but sometimes its set up that way… If that makes sense…?

So the creds are stored “in secured format”. The password for a system admin account provided doesn’t work. Instead it works with the username specified in another set of creds. I just want to confirm that it is suppose to be that way.

@m3g4n00b said:

@likwidsec said:

@m3g4n00b said:
I found some creds for this box that are suppose to be for a particular account but when I tried them they didn’t work. They do work with another user. Is that suppose to be like that?

Sometimes “admin” with a certain password on one service is not the same username (admin) on a different service, using the same password. For instance, Blocky. The password for the admin account on WordPress (or was it phpmyadmin, dont remember exactly) was the same as the user password for the user’s account itself - it might be working as intended. I’d have to look at my notes for Mantis to recall exactly, but sometimes its set up that way… If that makes sense…?

So the creds are stored “in secured format”. The password for a system admin account provided doesn’t work. Instead it works with the username specified in another set of creds. I just want to confirm that it is suppose to be that way.

I edited my post and decided to just PM you since I felt like I was spoiling stuff. Check PMs. :slight_smile:

Looking for hints on Mantis for owning the user. I have the creds to the box itself that are accepted, but I cannot do much with them. I have been trying various
things for the last couple of days now, but everything is failing, what am I missing?

Enum the box and see if there is a service that accept the credentials you found. If I remeber correct, this box have quite a few services running.

Yup, i was trying to say that I used those credentials on one of the services and I can see they are accepted, (previously I could not login to that account without those creds), but they don’t allow me do much. They revealed something that was not there before, but I am not sure how I can use the new info anywher. I know in that place sometimes you can find cached credentials, but they were not there this time.

They allow you to do just enough.

Could anybody drop me a PM on the next step? I have access to a certain service and the ability to upload files. I think this is the right path?

So I’m bit stuck with privesc on Mantis. Got low level shell going on, db credentials and passwd for an user but so far didn’t find a way to use his creds to execute anything as him or esc to admin.
The creds are definitely correct as the error I’m getting back is about that user not having permissions to execute remotely. I guess my lack of knowledge in AD doesn’t help. Any nudge what to research next would be very welcome.

NVM :slight_smile:

One hint I’ll leave you with if you’re reading this - make sure you know what time it is :slight_smile:

Hey all, got some credz, two of 'em but frankly i’m going in circle and pretty much nowhere… Could any of you maybe PM me?? thanks

open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box, open a box, to find another box – i didn’t enjoyed this, nope

any tips please PM me before it retires… got the account(s) but not finding any way to use them to get a shell …

@jwouter said:
any tips please PM me before it retires… got the account(s) but not finding any way to use them to get a shell …

Likewise, would love to get a shell on this before it retires.