@c1cada said:
■■■■. Why so much hate? Lol. I get @asker made a box with some annoying “walls” to climb, but in frustration comes education. When you distill this box down it exercises some pretty fundamental pentest skills. No matter your status you can never practice the fundamentals enough. So yes. This box forced you to climb some “walls” but these walls were not that major and they forced you back to basics. In that way this is a great box. I very much enjoyed the fundamental principles and practice.
He didn’t make annoying walls. He just created a self-advertisement.
Apart from the initial foothold which was interesting and definitely had a learning-experience, the later part - and I’m especially talking about rooting the box - is totally uninspired and required zero effort (both for him and the attacker).
It’s just comes down to a random exploit, that has nothing to do with the previous findings, or requires any skill besides “basic enum”. And I’m sorry to say that, but “basic enum” & browsing exploit-db is nothing that should reward you with 30 points.
I’m a noob, Ive found the api but can someone PM me with how to interact with it. I haven’t worked with an api before. Currently I’m just fuzzing it but essentially I need some help, or a link. Thank You
Hi guys, is there someone who can tell me how I can get the credentials for C******** ?
I already used Hydra for bruteforcing, I tried bypassing, I tried the default credentials of the service.
Guys I need help please!
is that normal that when I enter the right credentials into c****** login page , it just simply shows me the access “Forbidden page”?
Hello fellow hackers!
What did everyone use to get creds for c******** ? BurpSuite takes forever, and Hydra comes back with false positives. If anyone has any resources, please pm me! Thank you!
Happy hacking!
cracked the c**********, now python CVE not working… tested, using right ip and port , the script says it is triggering succesfully, but nothing is hitting my listener any ideas?
Same. I just keep editing, launching, checking listener to see a blinking cursor… repeat ad nauseum. Back to editing
when running the exploit script unmodified under the ad*** account I get “You don’t have permission to access /c*******/main.get.*** on this server.” Same if I go in and manually try to edit the poller config. Is the correct path to modify the command in the script to bypass whatever filter they have in place that stops you from entering raw commands? Or is there another route to take to take using the A*I?
I am having trouble finding the credentials. I have tried numerous efforts by brute forcing with hydra, but it seems csrf is preventing me from doing so. Others have been able to discover the credentials without brute forcing the login and I would like to know what they are doing to find the creds manually.
Edit: I was able to brute force the creds thanks to a very useful post on the forums here.