Wall

13468927

Comments

  • How ya'll getting creds for c*****? Trying to run hydra at it but might not have a great grasp on the syntax

  • edited September 2019

    @0x6a666c6a72 said:
    I have creds for the service, but need help getting the exploit to work. I've tried formatting it in different ways/using different commands with no luck. Please PM for some direction.

    Same here, if anyone could point me to the right direction it would be greatly appreciated :smile:

    @saminskip said:
    How ya'll getting creds for c*****? Trying to run hydra at it but might not have a great grasp on the syntax

    Execute hydra -U <protocol> if you want to get a quick understanding of the syntax. It includes some examples that could inspire you.

  • I suppose I'm weak on the final "Login Failed" portion ect. How best to work out the syntax to let hydra know it has a failed login.

  • edited September 2019
    Rooted the box.

    What worked for me:

    - Using the API for brute-forcing the password. If you know anything about web apps vs. REST APIs you know why.
    - Using the API for exploiting the vulnerability. I couldn't get the payload to work using the known exploit. After some frustration, I wrote my own script that took my remote command as an input, and allowed me to execute the exploit using the API. Worked right away! After completing the box I think I know why the REST API was a better path.
    - I went w***d*** -> root. Basic enumeration showed something that could easily be exploited for priv esc.

    DM if you need a nudge.

    zalpha
    OSCP | CISSP | CSSLP

    Respect always welcome if I can help you: https://www.hackthebox.eu/home/users/profile/140630

  • after reading the forum and a message, i also wrote a brute-forcer in bash with api for the fun., but from exploit, you can also do the same in python

    peek

  • this challenge is the pits

    i recently noticed that i hate hacking
    im pretty sure it's just become a self-harm ritual at this point

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

  • i do not understand the low rating, i had lots of fun with this box, pretty fast done everything taken into consideration.

    :) thanks @askar

    -All hail the Potato-

  • edited September 2019
    Type your comment> @Ketil said:
    > i do not understand the low rating, i had lots of fun with this box, pretty fast done everything taken into consideration.
    >
    > :) thanks @askar

    I 100% agree! This box was a lot of fun. It threw in some frustration and forced you to kinda think of ways to get around stock presets. I love it when curve balls get thrown. Not saying it was a hard box, but it had a great balance of challenge without being so time consuming. I liked it. Thank you.
  • Can someone explain @argot 's teacher hint a little more detailed? I dont get it

  • Any hint on the "verbs" hint? I'm not a native english... I'm at the point of "bad credentials" reply from API except one cred that results in a 403. Not sure i'm on the right path.

  • after we found the pages, is it LFI or SQL inj method, tried bruteforce with top verbs collections but after 4hrs it got failed, can any share some more hints about Argot theory pls

    NAGARAJNOW

  • Type your comment> @suretshi said:

    Init HINT for dumb people like me who can't find с*******:
    1. First you need to find m*********
    2. to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.

    After that, pay all attention to the found m*********, but, as already said, you do not need brute force!
    1. Then the question arises: what can be done other than brute-forcing?
    2. Here you need a hint about the teacher and verbs.
    3. however, this was not enough for me: note that sometimes a slash can be crucial
    4. after that you should look at what the server told you.
    I hope I haven’t suggested too much?

    @suretshi Can you DM me? Or can anyone? I figured out the "verb" I was supposed to use, but I am very much a noob at web stuff and don't really know what to do with the information I received. Thank you in advance!

    Always willing to help! Please give respects if I help you on a box :)

  • rooted

    Arrexel
    OSCP | I'm not a rapper

  • so i have made a python script to bruteforce the API, it rocks, but it is taking ages...

  • Type your comment> @igaralf said:

    so i have made a python script to bruteforce the API, it rocks, but it is taking ages...

    Are you sure it's working as intended? It should take seconds. The pass is among the first 50. (You can PM me your script if you'd like)

    rowra

  • edited September 2019

    is the username for the c***** a guesssing game or is it default?

    nvm got it!

  • i writed script to bruteforce the login page and got the password but i would like to know how to bruteforce the api part i dont know what data to send ( I tried ad***=&pass***=) but it keep saying unauthorized

    Arrexel
    OSCP | I'm not a rapper

  • I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.

    For asking help, please describe what you have tried so far, so i don't spoil too much.
    If you believe i was able to help, please provide feedback by giving respect:
    https://www.hackthebox.eu/home/users/profile/122308

  • I enjoyed the box. Thanks @askar ... To anyone that is struggling the hints that are listed should be more than enough to get you there. I made this way harder than it had to be.

  • edited September 2019

    Type your comment> @tang0 said:

    I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.

    Nope. That mechanism is kinda sketchy but our best guess is that whenever you get 403 forbidden is because of the usage of some restricted chars, like space for example. That could also be used to verify (kinda) your payload being legal

    @badman89 it could easily be guessed but could even easier be rocked

    rowra

  • is it normal to be getting 403s on the m**n.gt.pp ?

  • edited September 2019

    Can somebody give me a hint? Found the usual files and one protected folders, others also have mentioned already. Please PM me.

    NVM found it

  • Got root. I can try to give you hints if you PM me.

    menessim

  • I found **.php, p****.php, /s*****-s*****, and /m*********. I don't understand the VERB hint or how anyone discovered c*****. Can anyone PM me for what the next step should be?

  • This one was weird. Didn't like that you get root and can get user and root flag but oh well!

  • edited September 2019
    @gNarv3 said:
    > This one was weird. Didn't like that you get root and can get user and root flag but oh well!
    >

    The way for just User s***** is actually quite nice. I think the path straight to root was not intended.

    menessim

  • edited September 2019

    [long and kinda misleading question about cve]
    EDIT: got www shell\nCheck what special chars are not allowed in desired field. Remove them completely, you can divide rce into as many parts as you want.

    I wonder if it is possible to crack hashes from db and restricted area? Has anyone done this?

  • Type your comment> @sazouki said:

    i writed script to bruteforce the login page and got the password but i would like to know how to bruteforce the api part i dont know what data to send ( I tried ad=&pass=) but it keep saying unauthorized

    check the response, should be 'Bad credentials'

    Deleite

  • For those having issues with the CVE exploit. Using the CVE exploit requires people NOT modifying the only poller configuration, especially the name. For goodness sake, duplicate it and modify it to your heart's content. Also, read the CVE write-up by @askar, who I think is also the box creator.

    limbernie
    Write-ups | Discord - limbernie#0386

  • Can someone DM me, I can't figure out what the "VERB" is after getting the m*********/ and a*.*** and p****.***.

    slimz28

Sign In to comment.