Wall

@0x6a666c6a72 said:
I have creds for the service, but need help getting the exploit to work. I’ve tried formatting it in different ways/using different commands with no luck. Please PM for some direction.

Same here, if anyone could point me to the right direction it would be greatly appreciated :smile:

@saminskip said:
How ya’ll getting creds for c*****? Trying to run hydra at it but might not have a great grasp on the syntax

Execute hydra -U <protocol> if you want to get a quick understanding of the syntax. It includes some examples that could inspire you.

I suppose I’m weak on the final “Login Failed” portion ect. How best to work out the syntax to let hydra know it has a failed login.

Rooted the box.

What worked for me:

  • Using the API for brute-forcing the password. If you know anything about web apps vs. REST APIs you know why.
  • Using the API for exploiting the vulnerability. I couldn’t get the payload to work using the known exploit. After some frustration, I wrote my own script that took my remote command as an input, and allowed me to execute the exploit using the API. Worked right away! After completing the box I think I know why the REST API was a better path.
  • I went wd → root. Basic enumeration showed something that could easily be exploited for priv esc.

DM if you need a nudge.

after reading the forum and a message, i also wrote a brute-forcer in bash with api for the fun., but from exploit, you can also do the same in python

this challenge is the pits

i recently noticed that i hate hacking
im pretty sure it’s just become a self-harm ritual at this point

i do not understand the low rating, i had lots of fun with this box, pretty fast done everything taken into consideration.

:slight_smile: thanks @askar

Type your comment> @Ketil said:

i do not understand the low rating, i had lots of fun with this box, pretty fast done everything taken into consideration.

:slight_smile: thanks @askar

I 100% agree! This box was a lot of fun. It threw in some frustration and forced you to kinda think of ways to get around stock presets. I love it when curve ■■■■■ get thrown. Not saying it was a hard box, but it had a great balance of challenge without being so time consuming. I liked it. Thank you.

Can someone explain @argot 's teacher hint a little more detailed? I dont get it

Any hint on the “verbs” hint? I’m not a native english… I’m at the point of “bad credentials” reply from API except one cred that results in a 403. Not sure i’m on the right path.

after we found the pages, is it LFI or SQL inj method, tried bruteforce with top verbs collections but after 4hrs it got failed, can any share some more hints about Argot theory pls

Type your comment> @suretshi said:

Init HINT for dumb people like me who can’t find с*******:

  1. First you need to find m*********
  2. to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.

After that, pay all attention to the found m*********, but, as already said, you do not need brute force!

  1. Then the question arises: what can be done other than brute-forcing?
  2. Here you need a hint about the teacher and verbs.
  3. however, this was not enough for me: note that sometimes a slash can be crucial
  4. after that you should look at what the server told you.
    I hope I haven’t suggested too much?

@suretshi Can you DM me? Or can anyone? I figured out the “verb” I was supposed to use, but I am very much a noob at web stuff and don’t really know what to do with the information I received. Thank you in advance!

rooted

so i have made a python script to bruteforce the API, it rocks, but it is taking ages…

Type your comment> @igaralf said:

so i have made a python script to bruteforce the API, it rocks, but it is taking ages…

Are you sure it’s working as intended? It should take seconds. The pass is among the first 50. (You can PM me your script if you’d like)

is the username for the c***** a guesssing game or is it default?

nvm got it!

i writed script to bruteforce the login page and got the password but i would like to know how to bruteforce the api part i dont know what data to send ( I tried ad***=&pass***=) but it keep saying unauthorized

I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.

I enjoyed the box. Thanks @askar … To anyone that is struggling the hints that are listed should be more than enough to get you there. I made this way harder than it had to be.

Type your comment> @tang0 said:

I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.

Nope. That mechanism is kinda sketchy but our best guess is that whenever you get 403 forbidden is because of the usage of some restricted chars, like space for example. That could also be used to verify (kinda) your payload being legal

@badman89 it could easily be guessed but could even easier be rocked

is it normal to be getting 403s on the m**n.gt.pp ?