Wall

Finally rooted, after 3 frustrating days…
My hints:

USER: everything is said already in the forums about the bad characters. Pay attention to escape things you do not need or just give them what they want. Also the script is not ending after it sets the payload :wink:

ROOT: I too went from www → root it sticks out

Thanks to @redshift and @greenpanda999 for saving me from insanity :neutral:

Looking for a nudge on my first time box. read through c******* docs for some default creds but nothing working. No real hints I can think of from previous recon, have not tried brute forcing. DM if you want to help, looking to learn. remove if not proper post!

Cheers

at the C****** login, PM a hint?

Lol anyone change the credentials in the admin panel??? I can’t access to the panel.

I reeboot

Hello fellow hackers!
I’m trying everything I can think of to get a shell, I suspect the payload needs some tweaking, but can’t get it to work. I also tried escaping characters.
If anyone can help with this,a DM would be appreciated !

Edit: managed to get a connection back to my listener, but no shell, it just hangs with the blinking cursor .

Any nudge for priv esc part? Kernel exploitation does not work.

Edit: Rooted, Thanx to @MarsG for nudge.

Hint for FOOTHOLD: First step is CTF-like, enum and make request by another verb, then try to login, you gonna hit rock. When you are in, there is an obvious CVE by creator of box. You need to edit something to jump over the wall and get shell.

Hint for USER and ROOT: Do not overlook while basic enumeration. Some hints are misleading in forum. Inspect usual things and you will see another CVE for **w-***a to root.

i m really not getting the VERB hint. Can someone PM me some help? i m badly stuck on that VERB

Rooted

In general the box is easy.

For the user, if anyone is using the script and is not working that because someone else is changing what you are doing with your script. For me, I have exploited the vulnerability manually.

Also, if your command is not working, that might be a filter being applied to your command, so try to find out how to bypass that. (export configuration is helpful :wink: )

For root, it’s easier than user.

i found one LI page /m******** but im noticing you guys/gals mentioning another LI page /c***** and ive busted everylist from here to talahasee and i havent seen the c one, because apparently thats the one i should be focusing on, but i cant seem to locate it, could someone PM the proper list …ive used all the ones i have…

Type your comment> @0rbit4L said:

i found one LI page /m******** but im noticing you guys/gals mentioning another LI page /c***** and ive busted everylist from here to talahasee and i havent seen the c one, because apparently thats the one i should be focusing on, but i cant seem to locate it, could someone PM the proper list …ive used all the ones i have…

use burp and visit /m**** page and check the redirect page

I’m a complete beginner at this, although I do have 15+ years of IT/networking experience (sysadmin). Trying to change fields. I was able to discover all of the files/directories. I’ve read every comment on every page for this box - I’m definitely an over-thinker. I would prefer to brute-force the login, even though it’s said it is not needed (just for practice). I’ve tried Hydra, wfuzz and Burp. I can’t get Burp to receive a response in the proxy listener; the login prompt appears immediately, unlike a normal login page. Would someone be so kind as to help steer me in the right direction? Maybe I’m using Hydra, wfuzz and Burp wrong, although I’ve used them before (but only while following Ippsec’s videos) and, especially with Burp, semi-know what I’m doing. PMs today greatly appreciated!

Get user was hard, but root is obtained straight from www-data.

-Tips for user:

  1. Enumeration is your best friend
  2. API is always a gold pot. You must use it.
  3. Now, you need to prepare yourself against a long battle with command-injection! Try to find escape characters.

-Tips for root:

  1. Look at your privesc-enumeration. It is there!

In particular, I got root from www.

Is there another way?

PM for nudges!

Good luck!

@ptavares That long battle, do you have any hints besides escape characters? I played with figuring what it didn’t like, but still no dice. Can’t seem to get a reverse shell.

i manage to find that page c***** people were mentioning but trying to figure out the credentials? is there any way other the bruteforce or do i need to poke around? if anybody can DM with a tip i will appreciate it

Well, I am currently learning in this field, it is I help to learn many things and I hope that in my future machines I will also do it. In my opinion of noob the machine has or is very complete for people who are starting (like me) so very good machine to learn. Hints:

  1. Enumeration
  2. Enumeration
  3. CVE
  4. Enumeration
  5. CVE

Thanks to all the people who helped me!

Rooted !

Honestly user part was nice after all but root was totally not challenging :/.

PM me if needed :slight_smile:

Rooted :mrgreen:

Went down a rabbit hole so the Initial shell was easier for me than root.

HInt for root: make sure you check version info during enumeration.

Managed to “bruteforce” login creds for /c******** but now I’m struggling with 403 Forbidden.

I’ve figured out “what” is triggering 403 but I have no idea how to bypass it.
Can anyone give me a nudge?

I am also struggling to get the credentials for the /c******* . I tried with many different ways such as try to guess, default credentials, bruteforcing with different wordlists and common usernames, and also I wrote a python script in order to bypass the CSRF protection, if this was the problem but with no luck either… There is a password that no matter the username, gives you a different response (403) but isn’t helpful because you can’t use-access the required url’s for the public exploit… I really don’t know what else should I do…

Could anyone help me with brute-forcing? I am working with Wfuzz at the moment, but I haven’t got a lot of flops with me and it’s taking it’s time.