@0x6a666c6a72 said:
I have creds for the service, but need help getting the exploit to work. I’ve tried formatting it in different ways/using different commands with no luck. Please PM for some direction.
Same here, if anyone could point me to the right direction it would be greatly appreciated
@saminskip said:
How ya’ll getting creds for c*****? Trying to run hydra at it but might not have a great grasp on the syntax
Execute hydra -U <protocol> if you want to get a quick understanding of the syntax. It includes some examples that could inspire you.
Using the API for brute-forcing the password. If you know anything about web apps vs. REST APIs you know why.
Using the API for exploiting the vulnerability. I couldn’t get the payload to work using the known exploit. After some frustration, I wrote my own script that took my remote command as an input, and allowed me to execute the exploit using the API. Worked right away! After completing the box I think I know why the REST API was a better path.
I went wd → root. Basic enumeration showed something that could easily be exploited for priv esc.
I 100% agree! This box was a lot of fun. It threw in some frustration and forced you to kinda think of ways to get around stock presets. I love it when curve ■■■■■ get thrown. Not saying it was a hard box, but it had a great balance of challenge without being so time consuming. I liked it. Thank you.
Any hint on the “verbs” hint? I’m not a native english… I’m at the point of “bad credentials” reply from API except one cred that results in a 403. Not sure i’m on the right path.
after we found the pages, is it LFI or SQL inj method, tried bruteforce with top verbs collections but after 4hrs it got failed, can any share some more hints about Argot theory pls
Init HINT for dumb people like me who can’t find с*******:
First you need to find m*********
to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.
After that, pay all attention to the found m*********, but, as already said, you do not need brute force!
Then the question arises: what can be done other than brute-forcing?
Here you need a hint about the teacher and verbs.
however, this was not enough for me: note that sometimes a slash can be crucial
after that you should look at what the server told you.
I hope I haven’t suggested too much?
@suretshi Can you DM me? Or can anyone? I figured out the “verb” I was supposed to use, but I am very much a noob at web stuff and don’t really know what to do with the information I received. Thank you in advance!
i writed script to bruteforce the login page and got the password but i would like to know how to bruteforce the api part i dont know what data to send ( I tried ad***=&pass***=) but it keep saying unauthorized
I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.
I enjoyed the box. Thanks @askar … To anyone that is struggling the hints that are listed should be more than enough to get you there. I made this way harder than it had to be.
I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.
Nope. That mechanism is kinda sketchy but our best guess is that whenever you get 403 forbidden is because of the usage of some restricted chars, like space for example. That could also be used to verify (kinda) your payload being legal
@badman89 it could easily be guessed but could even easier be rocked