Frolic

Hello, I have idk*********s and enumerated the high http port but found nothing yet, I mean I found 4 dirs (one of them is loop) but found nowhere to use the pass. I’ve also found other service (brazilian dance) but doesn’t seem to be the way.
What am I missing?

I’ve also enumerated subdirs for every dir I’ve mentioned before. I’m stuck now, I’d appreciate any hint or nudge you can give me.
Thank you!

Oh! Almost forgot I also have a pair of creds, usr/pass, found in b****p dir but nowhere to use them.
I’m completely lost.

Edit: Done user! Thank you @clmtn

Hi guys, I have found the two pairs of credentials + the “idk” password.

Have enumerated directories as much as I could, using both Gobuster and Dirb, used different wordlists (for both directories, files) and still can’t find that login page for “ps" that everyone seems to find. I have found the "ps” directory but it just returns a 404 + I have tried to enumerate files and further directories from that one, with no success.

I keep running into those loop directories which are recursive up to a certain point, but I have a feeling that is just a rabbit hole.

Would appreciate a PM on which direction I should go :frowning:

I successfully logged-in p**YS*S.

Now how to get user? can’t able to determine p**YS*S version.

What type of shell I should here i.e bind or reverse.

what interface I need to use i.e eth0 or tun0.

I used metasploit but it starts reverse handler and then it shows “Exploit completed but no sessions was created”.

Please help

Type your comment> @laxudope said:

I successfully logged-in p**YS*S.

Now how to get user? can’t able to determine p**YS*S version.

What type of shell I should here i.e bind or reverse.

what interface I need to use i.e eth0 or tun0.

I used metasploit but it starts reverse handler and then it shows “Exploit completed but no sessions was created”.

Please help

I googled p******S vulns and found a git repo with a usefull script. :wink:

One should always google first, as a rule.

Good Luck!

this box is not frolic at all. regarding user searchsploit p*****s will also help

Took a few days, but finally popped this one. And although enjoyable (Maybe not so much at at the time) it shouldn’t have been the first one I attempted.

rooted :slight_smile: It was made difficult by removing gdb.

Thanks @clmtn for the help.

hint for r*p bof 52 in magic number

Anyone able to gimme a hand for root? Messing with this BOF Now and I’ve made some progress but unsure on where to go from here

EDIT:
Nvm rooted :stuck_out_tongue: Was my first BOF and managed to get it done with no hints. Just lots of research

Can anyone provide some hints? Have decode the …/? and now onto the second one but can’t get it to anything useful.

I decoded .!? not sure how to go about the next one. Can someone PM me with some hints?

can someone give me some hints? i got one username and password from /baup and two login, but it doesn’t work, i know it have p****ms. plz pm me. i didn’t found anything in s.

Type your comment> @B1ngDa0 said:

can someone give me some hints? i got one username and password from /baup and two login, but it doesn’t work, i know it have p****ms. plz pm me. i didn’t found anything in s.

decode “!.?.” and use it in p****ms for user.

@s0kIt said:
I decoded .!? not sure how to go about the next one. Can someone PM me with some hints?

Look carefully in JS, use that for login in n**x, then looks for subdirs. You may find something useful in “sub sub” directory

i get a weird behavior from meterpreter - can anyone help please?

rooted, i got user 3 months ago.
left root for a while, but read a lot and learn what it takes to own it.
was a very good practice. Feel free to PM if you need help no spoilers, I will give you the methods that lead me to it.

I’m trying to exploit the r*p binary.
I’ve already read all this that was posted here:
http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html

https://www.shellblade.net/docs/ret2libc.pdf

Also watched ippsec video.

I can’t make it work so I have a few questions:
1- Did you copy the binary to your own box to disas it? I think its not necessary since I have the addr and offsets.
2- Did you have to build a new binary? I don’t think it’s necessary either.
3- My reverse shell is a bit limited and don’t have all the output, can this be my problem? What did you do?

I’m a bit lost. The idea is really simple and I knew this technique before.

I hope there are no spoilers in this message, all the info posted here was mentioned before in the thread.
Any advise would be appreciated.

@epsequiel have a look at IPpsec October video :slight_smile:

Type your comment> @laxudope said:

Type your comment> @B1ngDa0 said:

can someone give me some hints? i got one username and password from /baup and two login, but it doesn’t work, i know it have p****ms. plz pm me. i didn’t found anything in s.

decode “!.?.” and use it in p****ms for user.

sry, i didn’t found the “!.?.”
can u pm me tell more? plz

Type your comment> @B1ngDa0 said:

Type your comment> @laxudope said:

Type your comment> @B1ngDa0 said:

can someone give me some hints? i got one username and password from /baup and two login, but it doesn’t work, i know it have p****ms. plz pm me. i didn’t found anything in s.

decode “!.?.” and use it in p****ms for user.

sry, i didn’t found the “!.?.”
can u pm me tell more? plz

I’ve sent you a PM.

Type your comment> @RyanW18 said:

@epsequiel have a look at IPpsec October video :slight_smile:

I already watched it. Tried his method but still nothing.
I’ve got addr with ld* and offsets with st****s.