Writeup

I can’t find Credentials using the exploit as the server stops responding due to the DOS script implemented in it. Any nudges or help , please ?

Type your comment> @mrajput7 said:

I can’t find Credentials using the exploit as the server stops responding due to the DOS script implemented in it. Any nudges or help , please ?

Be sure to include the directory /w****** in the exploit.

Type your comment> @Zot said:

Type your comment> @Alienware said:

Type your comment> @TsukiCTF said:

Very easy box which is pretty realistic imo.
Hint for user: credential stuffing
Hint for root: pspy

did pspy but still no luck, i know how to do it but could not get which service to

The only interesting thing that pspy reveals is a cron, but the files it creates, are unpredictable (AFAIK), & they out of my permissions range. The box is so stripped down, I find myself using busy*** for basic enums.

well i know one which i can use, thanks to pspy but trying to figure out how to is my question now. Any articles would be appreciated

Type your comment> @amk2 said:

Type your comment> @mrajput7 said:

 I can't find Credentials using the exploit as the server stops responding due to the DOS script implemented in it. Any nudges or help , please ?

Be sure to include the directory /w****** in the exploit.

Whether it is useful to use some word list ?

Type your comment> @mrajput7 said:

Type your comment> @amk2 said:

Type your comment> @mrajput7 said:

 I can't find Credentials using the exploit as the server stops responding due to the DOS script implemented in it. Any nudges or help , please ?

Be sure to include the directory /w****** in the exploit.

Whether it is useful to use some word list ?
Sending you a PM now

Type your comment> @Alienware said:

Type your comment> @Zot said:

Type your comment> @Alienware said:

Type your comment> @TsukiCTF said:

Very easy box which is pretty realistic imo.
Hint for user: credential stuffing
Hint for root: pspy

did pspy but still no luck, i know how to do it but could not get which service to

The only interesting thing that pspy reveals is a cron, but the files it creates, are unpredictable (AFAIK), & they out of my permissions range. The box is so stripped down, I find myself using busy*** for basic enums.

well i know one which i can use, thanks to pspy but trying to figure out how to is my question now. Any articles would be appreciated

I noticed a writeable dir that kinda changed everything (eliminated race condition from my train of thought).

For people stuck on the hash, either use “the tool”'s script or alternatively use hashcat. I’m sure you can make john work somehow but getting hashcat to handle the salt correctly was a lot more straight-forward.

I have never seen the exploit needed for root to be triggered this way, its not always that everyone can learn something from an easy box. My thanks to @jkr

Okay I enumerated port 80 and found the /w****** and with wapp****r i found a particular C** ma** Sim** but how can I exploit this please PM me and help been stuck for a day banging my head against the wall :dizzy:

I guess I am getting good at solving boxes. Keeping things organized helps a lot. Thanks @jkr for your efforts to build the machine.

for user: find the application type/technology, search for exploits on google.
for root: use some tools to snoop on processes and observe file-system changes.

Of course I know that these things I said are very simple, but sometimes people forget to consider them.

I’ve managed to run the exploit and get some creds emails and a salt. I’ve tested the creds in many ways in the web login thing and in the ssh too.

I feel like I’m doing something wrong, am I in the right direction? I will appreciate some hints

Some people are having issues with cracking because what they’re getting out of a popular tool isn’t valid data despite looking like it. Make sure everything the tool gives you looks right. I don’t know if it’s caused by server load or what but if you’re struggling here just consider that as a thing that may be happening.

Can someone help with the password? Each time I run the script have a different result. PM please.

This box is really exposing my enumeration scrubness. I haven’t been able to find a thing without dirbuser, etc.

fail.gif.

Type your comment> @Paggm said:

Can someone help with the password? Each time I run the script have a different result. PM please.

Think of what type of vulnerability you are exploiting and how it finds the correct character. What about network delays?

Hej,

I need some help with root. Used *py6 and found a returning event. Found some directorys where i can write but not list files.

Help would be appreciated <3

If you cannot run dirbuster or other enumeration tool it means something else. Stop resetting the freaking box

Type your comment> @Paggm said:

Can someone help with the password? Each time I run the script have a different result. PM please.

same issue here

Edit & Hint :slight_smile: : OK , Its related to connection stability ,you can break down the exploit and rerun every single piece to confirm or you can play with the time a bit , It will take longer but better results .

Got User .

Type your comment> @TheZeroCode said:

Type your comment> @Paggm said:

Can someone help with the password? Each time I run the script have a different result. PM please.

same issue here

Try to tweak the script, timing is the key :slight_smile:

Type your comment> @TheZeroCode said:

Type your comment> @Paggm said:

Can someone help with the password? Each time I run the script have a different result. PM please.

same issue here

try to run the script with a password file