Wall

1679111227

Comments

  • Rooted, didn't enjoy the box I'm sorry to the creator. These hints I wished I knew when I was doing the box. from w******a to root

    Enum Hints:
    1) There is a hidden directory that dirb cannot find with normal wordlists.. OSINT is the key

    2) [this is an issue that I had personally] the known way to do this box did not work for me, I had to find an alternative way for RCE.. more enumeration will get you what you exactly want

    Root Hint : enumerate for un-patched software

    PM if you need help with the box and star my profile if this helped!

  • Guys, I have got the [email protected]:/usr/local/cxxxxn/www$ shell. Lost completely here, could anyone please help guide me by PM - thank you in advance. +respect :)

  • edited September 2019

    now on wwwdata to get further. Was stuck for ages on the pwd part with my scripts. in the end, check your variables you use for your attempts.
    echo / print is key to validate all good ;)
    I had errors in bash and in python. once those where fixed, few seconds....
    thanks for the hints! will proceed

  • This box is not well designed. There is a regular user, actually I saw once in the process list that someone logged in as that user, but brute forcing the password with simple lists leads nowhere. So I could read the user flag only when I rooted the box. Apparently it is easier to get root than to get user.

    Yet, I liked the challenge of getting a first shell, although I still don't get why the some ways fail and others don't; of course, at some point you can easily see how others tried it - I wonder whether they succeeded. I also liked the priv esc for root - it's not at all subtle or cunning (a very basic enumeration gives you the evidence for what's wrong here) but you need to get all details right; took me a few experiments and lost shells to figure out how that works.

    Hack The Box

  • Finally rooted from ww*** to root....

  • Type your comment> @roelvb said:

    Hi guys, is there someone who can tell me how I can get the credentials for C******** ?
    I already used Hydra for bruteforcing, I tried bypassing, I tried the default credentials of the service.

    I'm stuck here for a while.

    Edit: I have found the password manually!

    I have looked everywhere for credentials. I don't want to brute force since most say it's not needed. Can you throw me a hint or DM?

    Huejash0le

  • Type your comment> @suretshi said:

    Init HINT for dumb people like me who can't find с*******:
    1. First you need to find m*********
    2. to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.

    After that, pay all attention to the found m*********, but, as already said, you do not need brute force!
    1. Then the question arises: what can be done other than brute-forcing?
    2. Here you need a hint about the teacher and verbs.
    3. however, this was not enough for me: note that sometimes a slash can be crucial
    4. after that you should look at what the server told you.
    I hope I haven’t suggested too much?

    Thanks. I needed this.

  • Rooted,
    I have to say very good box, never had to try VARS while doing initial recon and I've learn new trick, with the access and then exploit again if you do your research correctly, understand whats running on the server and how two trigger RCE it's downhill from there. Very much a real-life pen testing skills, recon and understanding of the platform is the key. Very well down to the author.

  • I'm stuck on trying to bruteforce c******* creds, I've tried to ROCK a modified CVE Script, but I'm having no success.

    Could someone send me a DM?

  • edited September 2019

    Rooted. I enjoyed only the user part, since the root part (www-data -> root) was trivial.

    Hint for User: When you hit the Wall, the internal field separator may come in handy.

  • rooted, I learnt a lot

  • Rooted
    Nice box, enjoyed it
    DM if you are stuck

  • edited September 2019

    Got root from www-data, with an exploit that was used in an other HTB box a few months ago. All in all, had some fun and learned some stuff with this one, so, thanks @askar ! :)

    Can I DM anyone about the www-data > user path ? Thought it was SQL related at first, but it turns out someone just left that open while popping the box. Can't really see anything, now, would love to know !

  • Type your comment> @ml19 said:

    now on wwwdata to get further. Was stuck for ages on the pwd part with my scripts. in...

    Thanks, will do :)

  • Got root before user as well, through w**-**** initially... Not sure how someone would go through the user first... If anyone has a clue.

    lduros

  • Does the "Verb" hint have to do with a cred or a directory?

  • Type your comment> @0rbit4L said:

    Does the "Verb" hint have to do with a cred or a directory?

    Think about protocols here.

    lduros

  • Can someone please PM me with a hint on how to get the creds for c******?

  • FINALLY rooted. Thank you so much to @cdf123 , @menessim , and @rowra for all your help!!!

    Always willing to help! Please give respects if I help you on a box :)

  • Finally rooted, after 3 frustrating days...
    My hints:

    USER: everything is said already in the forums about the bad characters. Pay attention to escape things you do not need or just give them what they want. Also the script is not ending after it sets the payload ;)

    ROOT: I too went from www -> root it sticks out

    Thanks to @redshift and @greenpanda999 for saving me from insanity :neutral:

    amra13579l

  • Looking for a nudge on my first time box. read through c******* docs for some default creds but nothing working. No real hints I can think of from previous recon, have not tried brute forcing. DM if you want to help, looking to learn. remove if not proper post!

    Cheers

  • at the C****** login, PM a hint?

    cognitiv3

  • edited September 2019

    Lol anyone change the credentials in the admin panel???? I can't access to the panel.

    I reeboot

  • edited September 2019

    Hello fellow hackers!
    I'm trying everything I can think of to get a shell, I suspect the payload needs some tweaking, but can't get it to work. I also tried escaping characters.
    If anyone can help with this,a DM would be appreciated !

    Edit: managed to get a connection back to my listener, but no shell, it just hangs with the blinking cursor .

    Flasterootz

  • edited September 2019
    Any nudge for priv esc part? Kernel exploitation does not work.

    Edit: Rooted, Thanx to @MarsG for nudge.

    Hint for FOOTHOLD: First step is CTF-like, enum and make request by another verb, then try to login, you gonna hit rock. When you are in, there is an obvious CVE by creator of box. You need to edit something to jump over the wall and get shell.

    Hint for USER and ROOT: Do not overlook while basic enumeration. Some hints are misleading in forum. Inspect usual things and you will see another CVE for **w-***a to root.

    kamilonurz

  • i m really not getting the VERB hint. Can someone PM me some help? i m badly stuck on that VERB

  • Rooted

    In general the box is easy.

    For the user, if anyone is using the script and is not working that because someone else is changing what you are doing with your script. For me, I have exploited the vulnerability manually.

    Also, if your command is not working, that might be a filter being applied to your command, so try to find out how to bypass that. (export configuration is helpful ;) )

    For root, it's easier than user.

  • i found one LI page /m******** but im noticing you guys/gals mentioning another LI page /c***** and ive busted everylist from here to talahasee and i havent seen the c one, because apparently thats the one i should be focusing on, but i cant seem to locate it, could someone PM the proper list ..ive used all the ones i have..

  • Type your comment> @0rbit4L said:

    i found one LI page /m******** but im noticing you guys/gals mentioning another LI page /c***** and ive busted everylist from here to talahasee and i havent seen the c one, because apparently thats the one i should be focusing on, but i cant seem to locate it, could someone PM the proper list ..ive used all the ones i have..

    use burp and visit /m**** page and check the redirect page

  • I'm a complete beginner at this, although I do have 15+ years of IT/networking experience (sysadmin). Trying to change fields. I was able to discover all of the files/directories. I've read every comment on every page for this box - I'm definitely an over-thinker. I would prefer to brute-force the login, even though it's said it is not needed (just for practice). I've tried Hydra, wfuzz and Burp. I can't get Burp to receive a response in the proxy listener; the login prompt appears immediately, unlike a normal login page. Would someone be so kind as to help steer me in the right direction? Maybe I'm using Hydra, wfuzz and Burp wrong, although I've used them before (but only while following Ippsec's videos) and, especially with Burp, semi-know what I'm doing. PMs today greatly appreciated!

Sign In to comment.