Luke

well finally got user now looking for the root :slight_smile:

and root in 5 min…PM for Help.
10x to @Arrow and @bri77 and @FNGCrysis for point me to the right direction. hope not forgetting any one that help.
it was in front of me and did`nt see it.
i took some brake and it was clear !
that machine teach me some more on web app PT.
it was not easy but after you finish you understand how it can be easy.

Rooted.

Thanks to @Blu3wolf and @feuillemorte for their help. First box attempt and it was frustrating at times. But gosh darn it, we persevered and made it happen. Thank you for the help everyone. My only tip:

…make sure your are using the correct login portal when the time comes. And don’t get tunnel vision. like me.

OK so this is quite an easy box although I must admit getting my request configured correctly to grab the t**** from 3*** took me a while as it’s not 100% obvious what creds to use (when you crack it you’ll see what I mean), but that’s how this kind of thing would be in real life I suppose.

After that though it’s plain sailing as long as you have found all of the login places and gathered all of the relevant users and creds that you can.

Oh and btw a lot of people on here mention the Medium article and the use of cURL and Postman but you can do this just fine with Burp and your fav web browser too.

I personally found User and Root text files in exactly the same way once logged in so not sure if you were supposed to follow a different path? However in conclusion this box is tricky in places and has plenty of pitfalls to navigate around before you easily get across the finish line.

■■■■ I was pulling my hair out trying to get that JWT curl command to work but a quick play around with end points and removing something that was not required returned a successful token!

Ecstatic!

Thanks @DrDrizzyT for the nudge without giving too much away. I understand why everyone was so let down by root… could have been a few ways to make that more interesting but the learning of curl for json web tokens was worth putting in the effort.

Some hints:

  1. Yes, do a heap of enumeration. I have already learnt this from ippsec videos as I have watched a LOT of his videos so this part was easy for me. I found all the directories and files first try using correct extensions which I run every time I hop onto a box. Dirbuster will find this for you straight away or you can use Gobuster and change status codes. Best thing about dirbuster though is that it is recursive.

  2. Once you have creds: same as majority of boxes, just because you have found a username to a password doesn’t mean that these two match on every part of the machine. I have found on multiple boxes that USERS are interchangeable. A common error by users in real life.

  3. Yes, read the medium article on curl jwt. Couple of decent hints already on this thread but sometimes some extra commands are not needed. It is not always best to copy word for word what is in an article. The main parts are normally correct, but addons sometimes aren’t really needed for the specific machine you are working on (especially if you don’t know what they are doing). Take this into consideration.

  4. If you have done everything successfully so far, especially with enumeration, you should know where this newly acquired token is to be used. Once you receive this first list, and then receive your first creds, have a look at your link again and then have a think. Things should fall into place.

  5. You should know what to do at this point! Quite an easy path from here.

If this is too much of a spoiler, I apologise. I tried to keep it cryptic enough with the little pointers that would have helped me throughout.

Could someone help me with the Token? pn me pls

I think I’m really getting stuck somewhere with the enumeration, especially on port 8*. I was able to find 2 sets of creds, using the first cred modified a bit to get to the 2nd cred. I’m at a complete roadblock with what to do with the 2nd cred if anyone will please pm with some guidance. I have tried PLENTY, but I have a feeling I’m overthinking it all. Any help is greatly appreciated.

EDIT: I was very close, just needed to think a little harder about port 3***. Rooted now. PM me if you have questions!

@frayedlife said:
arrrrrrrrrrgh…got tn, and auth on 3. found u***, and u****/a**** and got the relevant data. now have bunch of username and a couple recovered passwords. tried all combos on all 3 login sites and no joy…

gotta be missing somethin easy… of course it’s always easy in hindsight. Lol

any help?

Stuck on the same boat, need some help here. Thank you
Edit: Rooted

Can someone please help me? I really don’t understand what I’m supposed to do with port 3***.

Can someone point me towards a document around enumerating n***.js with curl? Or am I going off piste?

Hi, I found the portal, but no credential, any help would be appreciate

I have found both p** files, and the file on the odd port, however I can’t login. Can someone DM me?

rooted, thanks to @0x00f for help :slight_smile:

a

Hi could use help with the enumeration phase I have ran Dirbuster and one of the usernames/passwords. PM me any hints would be helpful :slight_smile:

nvm you were right used dirb to find /login

I can’t get the token. I tried the c*** command using the ** credentials and event changed the default use**** but i get the “Please auth” response. If anywant wants to give me a hint please feel free to pm me.

Anyone can pm me? I cant find anything with dirb/uster, i only have a txt in port 21

Forgive me for im a noob, I have the a*** t**** but im not sure how to use it …can someone plz help me with that