Wall

@daks39 said:
I am also struggling to get the credentials for the /c******* . I tried with many different ways such as try to guess, default credentials, bruteforcing with different wordlists and common usernames, and also I wrote a python script in order to bypass the CSRF protection, if this was the problem but with no luck either… There is a password that no matter the username, gives you a different response (403) but isn’t helpful because you can’t use-access the required url’s for the public exploit… I really don’t know what else should I do…

Look at the documentation for AuthN. Once you understand how to talk to that, it’s a 1-5 line script (depending on your language of choice), no CSRF token needed. I would bet lots of money that you’ve already used the right wordlist, so re-evaluate the script you wrote

Type your comment> @lunchboxrcl said:

Frustrating… I can see NC receive a connection but I’m unable to issue any commands (at least I’m not able to see the output of them). Any ideas?

Same here, have the connection back, but can’t interact with the shell?? Anyone?

Can someone help me with the script? I’m having an hard time even getting feedback for my actions…

Anyone want to hint me what to do to / with the script. I have what appear to be valid creds, but the script falls over trying to get a P… token

Trying to follow the links in the CVE write up gets me blank pages or a BAD REQUEST response, so I’m struggling to see a way forward as I get no responses to command to know where to dig more.

Thanks in advance

Type your comment> @GChester said:

Anyone want to hint me what to do to / with the script. I have what appear to be valid creds, but the script falls over trying to get a P… token

Trying to follow the links in the CVE write up gets me blank pages or a BAD REQUEST response, so I’m struggling to see a way forward as I get no responses to command to know where to dig more.

Thanks in advance

I am exactly at the same point. The error mentions a “list index out of range”.

PP

Since the creator of the box was the one who found the zero day and wrote the CVE, I think he probably (maybe?) made it to where the script he wrote isn’t supposed to work. It probably could with some heavy editing but, as I was hinted at, just read the script line-by-line, understand what it does step by step and try to reproduce that in the w** A** a**** p****.

Type your comment> @Corsemode said:

I have tried rewriting this exploit, and it simply isn’t working. I’ve also tried to exploit manually, but I’m continually getting 403s once I put a space in the input field. I’ve encoded the space and same thing. This is frustrating…

Facing the same issue. Were you able to resolve it ?

@pp123 said:
Type your comment> @GChester said:

Anyone want to hint me what to do to / with the script. I have what appear to be valid creds, but the script falls over trying to get a P… token

Trying to follow the links in the CVE write up gets me blank pages or a BAD REQUEST response, so I’m struggling to see a way forward as I get no responses to command to know where to dig more.

Thanks in advance

I am exactly at the same point. The error mentions a “list index out of range”.

PP

Try to read the script and look for hardcoded array/list accesses. Printing the intermediate outputs also helps

I am stuck, trying to modify exploit. I successfully connected but still I can’t launch reverse shell. I tried with mknod and other solutions without e argument but without success. Can anyone give me a hint how to achieve that?

Anyone know what I get false positives trying to brute force pass for c******* login page? Hung up on getting creds here. PM if you can nudge me in the right direction

Rooted - thanks to @ustoun for the nudge. If anyone needs help, PM me.

Rooted. Thanks @redshift for helping with the payload.
Thanks @greenpanda999 for explaining the API.
Thanks @amra13579 for giving me the shell inspiration.
Thanks @beorn for the final nudge on root.
Yes. It takes 4 to help me getting over this box, (Shows how noob I am), but do PM me if you need help.

Am I the only one not following the teacher and verb hints… I have all the pages mentioned above, tried multple HTTP methods. Used burp to assess the auth etc.

Any hits or DMs would be greatly appreciated

Tips:

  • Initial access: Maybe by using a different method you could bypass that authentication?
  • Shell: Security is tight, and the thing you find won’t work out of the box. Do it manually to test your attack
  • Privesc: Standard enumeration will get you what you need.

I’m really struggling with this c******* page. Cannot find it with gobuster/dirb and am not getting the verb/teacher hint. Can someone PM me pls :slight_smile:

Made it to w**-d*** and a reverse shell with the help (and not so subtle “hint”) from @harshallakare. @beorn was also a great help. Now, I guess it’s onto enumeration and privesc!

Well I enjoyed this box and have rated accordingly thanks to the creator

Is metasploit’s password.lst enough for c*****? I’m far far away from the nearest servers so bruteforcing is not so easy for me.

hi, what tools do you use to find c*****?

Rooted, great thanks to @bngrsec for the nudges :slight_smile: I must say this has been one of the most inconsistent boxes I have seen here so far :frowning:

  • guessing / bruteforcing to me is always big letdown
  • the CVE which I thought was the point of the box (as it was found by the creator) is not even needed
  • getting root before user was very-very strange…