Boom! ROOTED; Special thanks to @weeblix and @0xNoOne for your patience and help throughout!
For what its worth:
USER: Focus on that cl syntax and don’t get stuck trying the same USER over and over again. Once that is done, utilize the information you found during the enumeration and start teasing your logins. If you found the c***.p** you are on the right path.
ROOT: Soooooo, within 45 seconds of USER I gained ROOT so you do the math.
Nice box. A bit disappointing that Ajenti service is running by root user and you don’t have privesc flow. Reverse shell can be done but not necessary.
However I spend 1 day to figure out the curl sintaxy but time was a benefit because I also discovered the postman tool. Thumb up anyway for the JWT approache, it’s not very spread along the developers but industries such as banking are starting to use it.
Anyone have a minute to help? I am having a heck of a time getting a certain “Olympic sport” C*** command to work. Going crazy trying to get the t****. I don’t know if I am using the right credentials.
Anyone have a minute to help? I am having a heck of a time getting a certain “Olympic sport” C*** command to work. Going crazy trying to get the t****. I don’t know if I am using the right credentials.
You can shoot me a PM, make sure to include everything you tried.
I need some help with the web-panel login, I do have all users & passwords enumerated. I also do have four login endpoints. I literally tried every combination, aswell as Lower-/-Uppercase ones. I also tried some other common usernames, with all passwords that I managed to get.
Anyone could give me a hint, on why the login wont work?
Thanks.
Let me put this other than a spoiler.
1 list everything from the lowest to the highest port
the credentials you find with that enumeration use it to get the token in the odd port
help C ** l Using cURL to authenticate with JWT Bearer tokens | by Niel de Wet | Medium
use the token to have user information
use that user information to start section in M **********
there look everything to see what you can use for A ***********
everything is ready
thanks @tilznit
Rooted - the json was quite fun. Really enjoyable box. While the quick root may have been a let down, it felt like something I encounter at work from time-to-time.
i have multiple set sof usernames and passwords, used dirsearch, gubuster, dirb, for the portals,I have enumerated 3 login portals, however, still could not login. Even tried to pass the token to login. NO ROOT!!, this is frustrating. Any hint please
Edit: never mind, I had everything already. Took a break, tried again and rooted. DM for hints
Soooooooo stupid. Easy and stupid. Dont forgot to enumerate 3k port (dirs on it). and learn some JWT, remember root alternative name (windows name?). dont forget about wrong ways and… hate. Should i think that i am lowskill?
got user and root in 10 minuts after 2 hrs of thinking and reading forum
A useful lessons with this box: Finish your enumeration thoroughly, methodically and patiently to display all possible routes in, before moving to try and exploit - otherwise you will miss things out and give yourself a real pain when things don’t work.
There are tutorials around that explain how to interact with the middle port service properly - also another recent HTB machine with the same service running. The Ippsec video / writeups of that one would be useful.
Feel free to PM and I can direct you to links etc.
stuck with the enumeration .
found 3 login pages and d* user and pass
try everything i know (maybe over thinking)
run ds**** and c* no luck with the token or any more enumeration.
PM if you got some hint or wanna help
Greetings fellow Hackers,
Im quitee new to all this, but im learning quite a bit everyday, however on this box i’ve located a few LI pagess and a f**_o. file in the odd port. not sure if it has significance. Also i keep running into a wall with respects to 3 after recieving no auth t**** not sure how to proceed and ive busted the 3*** and 8*** but im not sure how or what to do with the coding info im looking at could use a nudge plz…anybody?
ROOTED. Getting the cl syntax was the biggest problem for generating the tn. Don’t take the syntax in the first medium post for granted, play around with the format. Guess the username needed. The rest if you have enumerated well will quickly fall into place once you can auth to 3***.