Unattended

Type your comment> @krypt said:

So the ports and that md5 is just troll?

md5 is a troll, for the ports, it’s complicated to answer

BTW if you can only do the slow dump. I recommend flushing, increasing threads and not using burp or a proxy

Honestly, this box is not a guess box. Try use the nikto tool. Should be a really good start for foothold if you look closely at the output.

SQL injection is very slow any hints what should I be looking in the database

Type your comment> @ronak360 said:

SQL injection is very slow any hints what should I be looking in the database

Try with --threads . But maybe this works only by hand and not with automatizate tools.

is there way the Xxs on the website is use full in any way please PM me

Type your comment> @ronak360 said:

is there way the Xxs on the website is use full in any way please PM me

The XSS is useless.

Type your comment> @n00bs1337 said:

This is a not not a guess box. Its dificult to me .

Tis is not a guess box. I learned a lot about *** , but any shell yet.

That really wouldn’t help to toy with threads as sqlmap to my understanding has a default thread count of 10?

and max thread count for a blind sqli is 10 threads or sqlmap screams correct me if I am wrong

@wabafet said:

That really wouldn’t help to toy with threads as sqlmap to my understanding has a default thread count of 10?

and max thread count for a blind sqli is 10 threads or sqlmap screams correct me if I am wrong

Default thread count is 1

--threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

Type your comment> @Glasgow said:

@wabafet said:

That really wouldn’t help to toy with threads as sqlmap to my understanding has a default thread count of 10?

and max thread count for a blind sqli is 10 threads or sqlmap screams correct me if I am wrong

Default thread count is 1

--threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

sqlmap can be helpful to understand the sql queries. To get faster results, use the technique flag to not use the Time (sleep, benchmark…) techniques. Be nice with the server, no need to dump all tables via sql injection. Anyway it’s easier to do it once you get a shell :wink:

I’m currently stuck after the dumping part. I’ve been able to extract some information and I think I know how the application works but I can’t seem to progress. Can someone help me?

is access.log correct path for RCE and some one PM me

Type your comment> @Glasgow said:

@wabafet said:

That really wouldn’t help to toy with threads as sqlmap to my understanding has a default thread count of 10?

and max thread count for a blind sqli is 10 threads or sqlmap screams correct me if I am wrong

Default thread count is 1

--threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

thank you for clearing up that misconception for me

I got all the tables, but don’t understood the next step. Could somebody help me PM.

What is causing 504 error?

I don’t understand why people dislike the machine. I haven’t seen yet people saying here exact reason of why they disrespect the box. 32 likes and 33 dislikes. And that’s why I’m leaving my opinion here, not about the box, because I can’t really see people being disrespectful to other’s work, the work which required too much effort.

Pay attention that the box is rated as hard box. And you may have forgotten about this. If it is too hard for you, I think you should just quit the box and try the easier ones.

Personally, I learned a lot working on the box; and during working on it, I got frustrated too many times. I spent 5 days working on it, and I haven’t found this a reason to dislike the machine and be disrespectful to other’s work, because that’s what things in real life look like: you either keep working or quit what you’re working on.

If there’s something wrong with the box, why would not you tell about this here with more details?

Be more kind.

Well I’m seriously stuck on this box. I got to a shell through some methods I don’t want to spoil here for those who have no RCE yet (there are more than enough hints for how to achieve it already posted here). But the hints “look at what you have available” and “box has been hacked recently” don’t help me at all. Either somebody before me removed something on this particular machine or this mysterious “available thing” is buried somewhere very weird where I definitely can’t find it. (This part makes me want to issue a reset just to “be sure” nobody messed with it…)

I found that some packages on the box are vulnerable to certain CVEs but one might take almost 24 hours to trigger and the other over an hour on x86_64. So these can’t be seriously the ways to user pwn. Root maybe. But user? I don’t want to wait almost 24 hours only to find out that the sploit didn’t work… any serious hints where to look at with my shell?

/Edit:
After a very useful hint from @dr0ctag0n regarding MySQL grants (sqlmap omitted some crucial ones and I didn’t verify it by hand…) I was able to get user and finally root. If I hadn’t believed in sqlmaps output I would’ve gotten user way faster. root is totally WTF or “weird af”… something I have never seen in the wild as an admin.

Mad props to @guly for a difficult box and big thanks to @darkkilla for some valuable pointers.

I think the big reason this box might feel like a ‘guess-box’ to some people is because there’s a lot of information everywhere, only some of which is reliable. You’re going to see most of everything you need to proceed, but you’re probably going to dismiss it because it’s buried in other information that’s pointless. (That’s what happened to me…)

The root could have used a bit more direction, imo. There’s hints on how the system is set up differently just about everywhere but how you take that information and make it into root access is a bit special and how to proceed is hidden deep somewhere you’re not going to find in your usual privesc guide.

What I think a lot of people would benefit from is perhaps this bit of wisdom: The hypothetical admin of this machine is the weak link and your way forward. Find out where he/she has been and done and try to figure out which mistakes they may have made setting up this complex box.

All in all, a really good machine, and I think it really underlines a good way to think when looking for a way forward when surrounded by a lot of information but there may have been a bit too much distance between breadcrumbs for it to not end up confusing at times.

Oh, and either delete your wip files or reset the box once you’re done with root! I got messed up so bad because someone had left a ton of in-progress files everywhere and thought they were intended hints by @guly until I reset the box out of frustration and got root in 5 min.

Type your comment> @ambi said:

I don’t understand why people dislike the machine. I haven’t seen yet people saying here exact reason of why they disrespect the box. 32 likes and 33 dislikes. And that’s why I’m leaving my opinion here, not about the box, because I can’t really see people being disrespectful to other’s work, the work which required too much effort.

Pay attention that the box is rated as hard box. And you may have forgotten about this. If it is too hard for you, I think you should just quit the box and try the easier ones.

Personally, I learned a lot working on the box; and during working on it, I got frustrated too many times. I spent 5 days working on it, and I haven’t found this a reason to dislike the machine and be disrespectful to other’s work, because that’s what things in real life look like: you either keep working or quit what you’re working on.

If there’s something wrong with the box, why would not you tell about this here with more details?

Be more kind.

I think the point is that some Insane boxes are more easy than this one (rated as medium, which it is not imo). The feeling of having been “cheated” about the difficulty rate of this box compared to the others can be frustrating. This frustration can induce rage-dislike. I don’t share this way of reacting but given the number of steps of this box I can imagine that several people didn’t like it because of this difficulty gap / the lack of hints for a “medium” box.

On my side, I spent hours and hours there but I enjoyed it & found, in the end, that each step brings its share of pleasure and knowledge.