This box reminded me of a date I was on a few years ago - first part i was pleased with thinking i had probed where i needed to, got the responses I needed and it was going to be easy. As it went on i encountered things I had not done before, learned a few new tricks and spent quite a few moments trying to work out what does in where.
Once I had finished I sat on the couch catching my breath feeling please with myself!
Hi guys . i get usernames and the Password W******* from port 3***, i tried in combination the usernames with that password on 3 login pages, but nothing works. Im stuck, any help?
Hi guys . i get usernames and the Password W******* from port 3***, i tried in combination the usernames with that password on 3 login pages, but nothing works. Im stuck, any help?
Hi guys . i get usernames and the Password W******* from port 3***, i tried in combination the usernames with that password on 3 login pages, but nothing works. Im stuck, any help?
All the users you found have their own passwords that need to be obtained. Same way you found that password you can find the other passwords that will work somewhere else.
Im having trouble getting the token. I am trying to authenticate through curl, but Im assuming my syntax is off as i am receiving a forbidden result instead of a token. Can someone help push me in the right direction
Guys i cant understand what i forgot to enumerate. I found in the f** the file for_cht. 2 web control panel( /mt and p 8) and the 3* service. I already know the syntax i need to get the token but i cant find the credentials i need to add to that request to get the token. Any hint?
edit: rooted
hint: try to open all the files that u find with the dirb*** scan(even the ones that u usually ucant open)
This machine should be simple and straightforward, given that you know the basics of js.
A few things might delay you though, so take the following notes:
1-Use dirbuster with recursive mode
2-At the auth step you have to guess a username, but it should be one of the top 5 that come to mind
3-Username might be case sensitive
4-No need to overthink, or even try different combinations of creds, keep it simple
rooted. Good box to develop web enumeration skills.
Hints : Take note of all (and I mean all) ports which are open on this box as you will need all of them.
Enumerate everything (zap \ burp spider is not sufficient here) to find multiple login pages.
The service running on the strange port is not a web site but behaves like one and you will need to use a combination of all credentials found and some knowledge of JWT tokens. Medium do a good post for reference on this element.
Wow. In hindsight simple, but once again the learning: do not assume anything. Verify everything. Somehow it got in my head that the service on 3 is graphql. What the ■■■■.
feels like i’m going in circles with this box…
i have got a gang of user creds but they dont seem to work anywhere…
and there is at least 3 spots to enter them…
Thanks @iamsundi for his help.
Now i know that not all seclists are the same. Was missing one URL in my enum results.
At this point there are more than enough hints on this thread. Especially medium.com tutorial. After you get the token use it as much as possible and use what you found to generate new URLs to get even more info.
Ok , the medium part I needed to learn but it has frustrated me so much I could no longer think what to do with the users. Nice post mate!