Finally rooted, after 3 frustrating days…
My hints:
USER: everything is said already in the forums about the bad characters. Pay attention to escape things you do not need or just give them what they want. Also the script is not ending after it sets the payload
Looking for a nudge on my first time box. read through c******* docs for some default creds but nothing working. No real hints I can think of from previous recon, have not tried brute forcing. DM if you want to help, looking to learn. remove if not proper post!
Hello fellow hackers!
I’m trying everything I can think of to get a shell, I suspect the payload needs some tweaking, but can’t get it to work. I also tried escaping characters.
If anyone can help with this,a DM would be appreciated !
Edit: managed to get a connection back to my listener, but no shell, it just hangs with the blinking cursor .
Hint for FOOTHOLD: First step is CTF-like, enum and make request by another verb, then try to login, you gonna hit rock. When you are in, there is an obvious CVE by creator of box. You need to edit something to jump over the wall and get shell.
Hint for USER and ROOT: Do not overlook while basic enumeration. Some hints are misleading in forum. Inspect usual things and you will see another CVE for **w-***a to root.
For the user, if anyone is using the script and is not working that because someone else is changing what you are doing with your script. For me, I have exploited the vulnerability manually.
Also, if your command is not working, that might be a filter being applied to your command, so try to find out how to bypass that. (export configuration is helpful )
i found one LI page /m******** but im noticing you guys/gals mentioning another LI page /c***** and ive busted everylist from here to talahasee and i havent seen the c one, because apparently thats the one i should be focusing on, but i cant seem to locate it, could someone PM the proper list …ive used all the ones i have…
i found one LI page /m******** but im noticing you guys/gals mentioning another LI page /c***** and ive busted everylist from here to talahasee and i havent seen the c one, because apparently thats the one i should be focusing on, but i cant seem to locate it, could someone PM the proper list …ive used all the ones i have…
use burp and visit /m**** page and check the redirect page
I’m a complete beginner at this, although I do have 15+ years of IT/networking experience (sysadmin). Trying to change fields. I was able to discover all of the files/directories. I’ve read every comment on every page for this box - I’m definitely an over-thinker. I would prefer to brute-force the login, even though it’s said it is not needed (just for practice). I’ve tried Hydra, wfuzz and Burp. I can’t get Burp to receive a response in the proxy listener; the login prompt appears immediately, unlike a normal login page. Would someone be so kind as to help steer me in the right direction? Maybe I’m using Hydra, wfuzz and Burp wrong, although I’ve used them before (but only while following Ippsec’s videos) and, especially with Burp, semi-know what I’m doing. PMs today greatly appreciated!
@ptavares That long battle, do you have any hints besides escape characters? I played with figuring what it didn’t like, but still no dice. Can’t seem to get a reverse shell.
i manage to find that page c***** people were mentioning but trying to figure out the credentials? is there any way other the bruteforce or do i need to poke around? if anybody can DM with a tip i will appreciate it
Well, I am currently learning in this field, it is I help to learn many things and I hope that in my future machines I will also do it. In my opinion of noob the machine has or is very complete for people who are starting (like me) so very good machine to learn. Hints:
I am also struggling to get the credentials for the /c******* . I tried with many different ways such as try to guess, default credentials, bruteforcing with different wordlists and common usernames, and also I wrote a python script in order to bypass the CSRF protection, if this was the problem but with no luck either… There is a password that no matter the username, gives you a different response (403) but isn’t helpful because you can’t use-access the required url’s for the public exploit… I really don’t know what else should I do…