Wall

Type your comment> @ml19 said:

now on wwwdata to get further. Was stuck for ages on the pwd part with my scripts. in…

Thanks, will do :slight_smile:

Got root before user as well, through w**-**** initially… Not sure how someone would go through the user first… If anyone has a clue.

Does the “Verb” hint have to do with a cred or a directory?

Type your comment> @0rbit4L said:

Does the “Verb” hint have to do with a cred or a directory?

Think about protocols here.

Can someone please PM me with a hint on how to get the creds for c******?

FINALLY rooted. Thank you so much to @cdf123 , @menessim , and @rowra for all your help!!!

Finally rooted, after 3 frustrating days…
My hints:

USER: everything is said already in the forums about the bad characters. Pay attention to escape things you do not need or just give them what they want. Also the script is not ending after it sets the payload :wink:

ROOT: I too went from www → root it sticks out

Thanks to @redshift and @greenpanda999 for saving me from insanity :neutral:

Looking for a nudge on my first time box. read through c******* docs for some default creds but nothing working. No real hints I can think of from previous recon, have not tried brute forcing. DM if you want to help, looking to learn. remove if not proper post!

Cheers

at the C****** login, PM a hint?

Lol anyone change the credentials in the admin panel??? I can’t access to the panel.

I reeboot

Hello fellow hackers!
I’m trying everything I can think of to get a shell, I suspect the payload needs some tweaking, but can’t get it to work. I also tried escaping characters.
If anyone can help with this,a DM would be appreciated !

Edit: managed to get a connection back to my listener, but no shell, it just hangs with the blinking cursor .

Any nudge for priv esc part? Kernel exploitation does not work.

Edit: Rooted, Thanx to @MarsG for nudge.

Hint for FOOTHOLD: First step is CTF-like, enum and make request by another verb, then try to login, you gonna hit rock. When you are in, there is an obvious CVE by creator of box. You need to edit something to jump over the wall and get shell.

Hint for USER and ROOT: Do not overlook while basic enumeration. Some hints are misleading in forum. Inspect usual things and you will see another CVE for **w-***a to root.

i m really not getting the VERB hint. Can someone PM me some help? i m badly stuck on that VERB

Rooted

In general the box is easy.

For the user, if anyone is using the script and is not working that because someone else is changing what you are doing with your script. For me, I have exploited the vulnerability manually.

Also, if your command is not working, that might be a filter being applied to your command, so try to find out how to bypass that. (export configuration is helpful :wink: )

For root, it’s easier than user.

i found one LI page /m******** but im noticing you guys/gals mentioning another LI page /c***** and ive busted everylist from here to talahasee and i havent seen the c one, because apparently thats the one i should be focusing on, but i cant seem to locate it, could someone PM the proper list …ive used all the ones i have…

Type your comment> @0rbit4L said:

i found one LI page /m******** but im noticing you guys/gals mentioning another LI page /c***** and ive busted everylist from here to talahasee and i havent seen the c one, because apparently thats the one i should be focusing on, but i cant seem to locate it, could someone PM the proper list …ive used all the ones i have…

use burp and visit /m**** page and check the redirect page

I’m a complete beginner at this, although I do have 15+ years of IT/networking experience (sysadmin). Trying to change fields. I was able to discover all of the files/directories. I’ve read every comment on every page for this box - I’m definitely an over-thinker. I would prefer to brute-force the login, even though it’s said it is not needed (just for practice). I’ve tried Hydra, wfuzz and Burp. I can’t get Burp to receive a response in the proxy listener; the login prompt appears immediately, unlike a normal login page. Would someone be so kind as to help steer me in the right direction? Maybe I’m using Hydra, wfuzz and Burp wrong, although I’ve used them before (but only while following Ippsec’s videos) and, especially with Burp, semi-know what I’m doing. PMs today greatly appreciated!

Get user was hard, but root is obtained straight from www-data.

-Tips for user:

  1. Enumeration is your best friend
  2. API is always a gold pot. You must use it.
  3. Now, you need to prepare yourself against a long battle with command-injection! Try to find escape characters.

-Tips for root:

  1. Look at your privesc-enumeration. It is there!

In particular, I got root from www.

Is there another way?

PM for nudges!

Good luck!

@ptavares That long battle, do you have any hints besides escape characters? I played with figuring what it didn’t like, but still no dice. Can’t seem to get a reverse shell.

i manage to find that page c***** people were mentioning but trying to figure out the credentials? is there any way other the bruteforce or do i need to poke around? if anybody can DM with a tip i will appreciate it