Scavenger

I have the user, now I work for the root. :smiley:

can i access the whs over http? can see the vulnerability on the backend of the service, tried fuzzing it with a python script. wanting to throw sq*ap at it but only works for HTTP as far as i know

ive seen the vhost for the service but getting the error

Type your comment> @badman89 said:

can i access the whs over http? can see the vulnerability on the backend of the service, tried fuzzing it with a python script. wanting to throw sq*ap at it but only works for HTTP as far as i know

ive seen the vhost for the service but getting the error

You donā€™t really need any tool. That vuln is simple enough to do it on the command line.

Type your comment> @julianjm said:

Type your comment> @badman89 said:

can i access the whs over http? can see the vulnerability on the backend of the service, tried fuzzing it with a python script. wanting to throw sq*ap at it but only works for HTTP as far as i know

ive seen the vhost for the service but getting the error

You donā€™t really need any tool. That vuln is simple enough to do it on the command line.

Got it thanks ?

Is the insect M***s the right way here? I know I can upload but I donā€™t know if this is configured to disk or database. The xl method doesnā€™t appear to be valid on the version running.

So far a really engaging box!

so I exploited the vuln and dumped the data but info obtained is not useful and I also dont have any r/w perms. any small hint is highly appreciated. :slight_smile:

@mpzz said:
so I exploited the vuln and dumped the data but info obtained is not useful and I also dont have any r/w perms. any small hint is highly appreciated. :slight_smile:

Check the obtained data and redo a step you already did earlier, but with the new dataā€¦

I have an RCE but itā€™s very limited with limited R/W permissions. No reverse shell too, or anything remotely better.

Any tips would be appreciated.

ok got past the first vuln, so much to look at cant seem to find which avenue is the right way yo go

Finally rooted, a box that I did not particularly appreciate especially since she has a lot of rabbits.

Could I get a PM nudge in the right direction for syntax errors with a certain early step?
I can give my notes, just not sure what iā€™m missing since iā€™m not too familiar with the method. I keep getting syntax errors no matter what I try but i can manipulate the output of those errors.

Thanks @jorgemorgado for your nudge in the right direction. I appreciate your help!

Totally lost on this oneā€¦trying to S*L inject WH**s but lost thereā€¦Can someone PM me on initial foothold

Type your comment> @jayjay25 said:

Totally lost on this oneā€¦trying to S*L inject WH**s but lost thereā€¦Can someone PM me on initial foothold

You are on the right track, you must try a lot harder and counter the mistake.

Iā€™m terrible with the S//i vuln, tried for ages without any success, so Iā€™m instead trying to guess the information Iā€™m looking for by bruteforcing the service in question with a large wordlistā€¦ Am I wasting my time? Should I just keep on with the S//i instead?

Type your comment> @mech said:

Iā€™m terrible with the S//i vuln, tried for ages without any success, so Iā€™m instead trying to guess the information Iā€™m looking for by bruteforcing the service in question with a large wordlistā€¦ Am I wasting my time? Should I just keep on with the S//i instead?

You should continue with S ** I. Just try to analyze and counter the error. Imagine in your head how the query is created.

Type your comment> @Seepckoa said:

Type your comment> @mech said:

Iā€™m terrible with the S//i vuln, tried for ages without any success, so Iā€™m instead trying to guess the information Iā€™m looking for by bruteforcing the service in question with a large wordlistā€¦ Am I wasting my time? Should I just keep on with the S//i instead?

You should continue with S ** I. Just try to analyze and counter the error. Imagine in your head how the query is created.

Managed to get it now thanks :slight_smile: Was missing something when I was trying to imagine how things looked on the other end.

Hey!
I found a way to retrieve something from W***S with a wildcard, but i donā€™t know if itā€™s correct or i need to try another wayā€¦
Unfortunately I didnā€™t find a method to inject correct query. If someone can PM me an hint of how to ā€œcloseā€ query fieldā€¦

THX

update: looking for a way to RCEā€¦ Should i look to W***S or to web?

Can anyone tip my hat and tell me if iā€™m shopping for the right way to get RCE ?

Got past the w**** thing a few days ago using s***ap, thereā€™s a way to do it, you just have to hack some things together.

For the initial foothold, consider everything. If you see something that is interesting but youā€™re not sure what to do with it, consider spending more time on it instead.

Getting from foothold to user required enumeration of a lot of things. I knew what I was looking for, but not where. One of the last places Iā€™d looked, really. The slow thing is slow, but you donā€™t really need to use it unless youā€™re stuck and need to find where you are.

Gotta get to rootā€¦

Finally rooted this box
What a nice box to say the least i really enjoyed all the way especially the user part there were lots of rabbitholes ā€¦really well done for the creator of this box @ompamo thank you i learned alot :slight_smile: ā€¦ just i think that user was a bit more complicated then root
I would to thank all the people that helped me especially @Angel235 and @Seepckoa i wouldnt make it without you guys
I will drop some hints
For user :

  • You need to find all what you can about the box and really enumurate everything , once you see the lower port in which you will be asked to query something once you found it is vulnerable do more enumuration you to Dig all the way around
  • Once you found what you are looking redo a step that you made before you will find what the http port is asking you , you will have your hat xD , do more enumurations you will get the user flag but with restricted access by analysing some p**p file you will find some creds use them to your advance
    For root :
  • You need to do some googling when you find that file