Conceal

Had the tunnel up and running months ago but couldn’t get webshell , keep coming back to this machine but can’t seem to do anything with IIS. Would really appreciate if someone could give me a nudge in the right direction on what I’m doing wrong.

@An0maly said:
Had the tunnel up and running months ago but couldn’t get webshell , keep coming back to this machine but can’t seem to do anything with IIS. Would really appreciate if someone could give me a nudge in the right direction on what I’m doing wrong.

What if not to attack IIS at all and look at some other serivce?

For anyone else facing the same problem I had , turns out you have to try many different webshells till one works , could be limitation on the ASP version on the box itself.

Thanks to @r0t13weiler and @tabacci for helping me troubleshoot it and finally wrap this one up.

I got a VPN password with no username, help me guys!

Spoiler Removed

Type your comment> @21y4d said:

This is not the way to learn ip***. The way to properly learn it is to set it up on both sides, knowing in advance the settings!

Having to use brute force tools to guess the settings, and then having to figure out the proper way to write the command, only to have it not working for something else we still don’t know, is just stupid…

I would say I agree with you. Would you mind sending me PM with useful links/references teaching the process both-sides, start to finish (if you know of any)? Cheers

Finally rooted !!!What a boxxxx!! Pm me for help :slight_smile:

Conceal is the best box that I played on HTB.
From the first step till root it is extremely practical and useful in real security practice.

Try it right now if you did not tried it! Conceal is must try box.

Will miss it after it retired.
And looking forward to read Conceal write-ups from experienced hackers.

I just gotta say, I’m happy to have finally established the VPN connection (now that Conceal is retired & there are tutorials) BUT, I’m kinda mad (don’t me mad bro!) >:( I spent a good chunk of time reading, learning, VPN stuff before box retirement, basically my config lacked 2 things. One item, the l**t=p (I know it’s retired, but a spoiler is a spoiler) & the corresponding entry rt=p, so I guess 3 things actually, because the next entry ty=t*******t isn’t exactly well documented (I know that from googling “the entry” site:stronswan.org). I don’t know if I would have ever figured that out on my own. The first 2 there that I needed were in a README, so that’s my bad. I promise to always read the README from now on, promise. Anyways, I guess I feel better now, back to hacking.

I have been following Ippsec’s video on Conceal. I am having trouble getting an asp webshell to work. When I try to execute a cmd I receive the error “An error occurred on the server when processing the URL”. I have tried multiple asp web-shells with no luck - I am not really sure what’s going on that causes this. I have strongswan configured correctly, and I reset the box to be safe.

yo, guys i need some help with this nasty ■■■■■■, i am at the PrivEsc part of job, and JP works with the the value i give but it wont execute my .bat or any file i give latter on! is juicypotato not working on this box anymore ? every writteup we have uses juicypotato ! just wanted to know if its something at my end !

Waisted good 10h on a tiny protocol mismatch :wink: other than that it was a nice box.

Nudge: If you can’t execute nothing, the reason might be different to what you think it is.

Do these old boxes get patched or something? Whatever I try to throw at it for privesc, the Antivirus catches. Been working at it for day until I decided to look at the walkthrough, just to see that the method used is no longer applicable.

Is it me that’s doing something wrong here, or is the box actually patched?

Type your comment> @PlayerThree said:

Do these old boxes get patched or something? Whatever I try to throw at it for privesc, the Antivirus catches. Been working at it for day until I decided to look at the walkthrough, just to see that the method used is no longer applicable.

Is it me that’s doing something wrong here, or is the box actually patched?

I actually have the exact same question. Several older boxes seem to be impossible to get full user or root now, the payloads don’t go through.

Type your comment> @PlayerThree said:

Do these old boxes get patched or something? Whatever I try to throw at it for privesc, the Antivirus catches. Been working at it for day until I decided to look at the walkthrough, just to see that the method used is no longer applicable.

Is it me that’s doing something wrong here, or is the box actually patched?

This question came to my mind after the 3rd day trying privesc. I found the vuln pretty soon but then no files I need can be uploaded. Either as plain-executable or encoded ps script…

User was hard as well as none of the revshells / nc etc worked - but I found a snippet of powershell rev-shell that did not get catched and allowed further enumeration on the machine.

To confirm that my methodology was right I read some of the walkthroughs and found the exact same steps I was planning to do…

Yes I had the same thing. What I did was devide the upload in chunks of 1024 bytes. Merge that again on the target.

Type your comment> @gh0stm5n said:

Yes I had the same thing. What I did was devide the upload in chunks of 1024 bytes. Merge that again on the target.

Great Idea, will try this one next time I go into the labs

I spent several hours on this box. Impossible to get the rev shell from that webshell: i tried nishangs remote and local and also nc64 from the webshell directly… never got a shell so im stucked :frowning:

Any hint what im doing wrong?

Based on the previous comments and the intermittent connection problems - I’m considering this box to be broken.

Same here. Impossible to get a revshell. Also tried nishang and nc64, my Python server receive the GET petition, but no revshell is received in my nc. The most funny part, I saw today a youtuber resolving the machine in Twitch, and he could get revshell with no problem. So I think is a problem with my Kali or something.