Writeup

Type your comment> @mrajput7 said:

please, let me know if there is any script or command which can be used to see which dir are user writeable, I am using find command but it is not giving me much.

find / -type d -writable 2> /dev/null

Type your comment> @thecisco said:

wth … i keep getting a error on the exploit … SyntaxError: Missing parentheses in call to ‘print’. Did you mean print(“[+] Specify an *** target”)?

You’re trying to run a Python 2 script with Python 3.

No matter where I adjust T**E on the script either when executing the script or in the scripts source, it still just wants to zoom its way through and hit me with the ddos protection… Im either noobing this right now or its executing wrong. Any suggestions on possibly how to fix it or set the delay?

Any idea how to crack the hash, using the default script it is taking ■■■■ lot of time and every time I am running the exploit it is giving me a new hash and salt each time.

I’ve been getting the same result after running the script against /wp/ with the ck option, but the creds don’t work on /w**p/a****. I’ve slowed the time element of the script. Any nudges?

edit: got user. Sometimes when a service seems beat it’s good to move on to another one.
edit: got root. That was a fun one. Thanks for the box @jkr

rooted.
thats better

Type your comment> @fatty said:

Type your comment> @mrajput7 said:

 please, let me know if there is any script or command which can be used to see which dir are user writeable, I am using find command but it is not giving me much.

find / -type d -writable 2> /dev/null

Thanks.

@fatty said:

find / -type d -writable 2> /dev/null

For finding writable directories (as well as finding a ton of other stuff) LinEnum (https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh) and/or lse (https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh) will work as well.

Type your comment> @jkr said:

@fatty said:

find / -type d -writable 2> /dev/null

For finding writable directories (as well as finding a ton of other stuff) LinEnum (https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh) and/or lse (https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh) will work as well.

okay sir thanks very much

why this login page, i got creds but can’t login

EDIT: NVM I got it very easy

Is root part obvious or not? Maybe I’m overthinking.

edit: found it.

Type your comment> @Saiyajin said:

Is root part obvious or not? Maybe I’m overthinking.

It depends, if you’re all alone on the box it isn’t in my opinion. @1NC39T10N 's tip is really helpful in that case. Once you see it happening , you’ll know what to do.

Hello all, I have a couple of questions regarding the user flag. I found the w****** page with the a**** pop up. I am guessing the site uses ht******? If so am I supposed to find an LFI? I also found the administrative technology used with wappalyzer. Is there a CVE to be researched here? I am still in the process of finding creds. Any hints would be much appreciated.

@opt1kz noo i tried useing python1 py2 and py3 none worked and got the same error on all 3 tries

Got root. That last part was definitely interesting, nice box!
I had to take a pause from getting root yesterday, kept staring at the wrong place. After a night’s sleep I finally saw the light!
@1NC39T10N’s hint is crucial if you’re on VIP, or you’ll never see what you are supposed to see.

PM me for hints. :slight_smile:

OK #rooted however being on VIP server where is very silent then for this box it’s a huge disadvantage. It is almost impossible to spot intended way. Glad I could ask someone for a hint…

Type your comment> @shibli2700 said:

Any idea how to crack the hash, using the default script it is taking ■■■■ lot of time and every time I am running the exploit it is giving me a new hash and salt each time.

You shouldn’t get a different hash and salt each time. If you are, you may need to modify the script.

Rooted! Really fun box, learn a lot about load order! Anyone who need some nudge feel free to PM :wink:

I found the exploit to access A**** but it gives me always ‘Connection aborted’. Any hints so I can resolve it?

stuck on hash…

solved