Wall

@3322kr said:
Type your comment> @PanamaEd117 said:

Tired, ZAP, gobuster, dirb, dirbuster gui, sparta, not able to find anything other then the basic 3 dirsearch.py finds. Added extensions to dump all types of request verbage. nada. Could use some help here…

use the most common tool to intercept requests and then look at the responses of the directories you have found also see which option (get post head delete ) what can you use

hi, help CVE.
Forbidden

You don’t have permission to access /c*******/main.get.php on this server.
Apache/2.4.29 (Ubuntu) Server at 10.10.10.157 Port 80

@hanter said:

hi, help CVE.
Forbidden

You don’t have permission to access /c*******/main.get.php on this server.
Apache/2.4.29 (Ubuntu) Server at 10.10.10.157 Port 80

That means your payload has been denied. Try it manually to work out what’s allowed and what isn’t.

After a long struggle … an interesting box!

I rooted the box several days before, but it took until now to get the CVE work (my fault - a simple mistake).

I learned a lot and I am not ready yet. Did anybody succeed the priv esc via the database?

can not get creds for c******* login how to do that…

Type your comment> @HAL9000B said:

After a long struggle … an interesting box!

I rooted the box several days before, but it took until now to get the CVE work (my fault - a simple mistake).

I learned a lot and I am not ready yet. Did anybody succeed the priv esc via the database?

I tried the priv esc via database but stuck at copying the shared lib in the right dir. Got errors. I am not sure why? i wrote to @askar to ask about it. Waiting to hear back.

However, i haven’t found the process yet using the common enum script. I wonder if there is other way for this particular type of enum?

Let me know if you get database to work.

guys,
it the path from www-data to root the intended way?

hi guys,
i am able to get the CVE script to login, but it fails at “retrieving the poller_token”. I’m not sure what I’m doing wrong/missing - anyone else seeing this issue? Not sure if its a wall thing or something else. All help appreciated :slight_smile:

Anybody have an issue with the CVE script? Always get error like this

IndexError: list index out of range

token = soup.findAll(‘input’)[3].get(“value”)

Hi Everyone,

Enumerated all the pages but struggling with this /c******* verb. could someone give me a nudge please?

@sqw3Egl @antim4g3 I don’t think the zero day finder/author of the CVE/box creator intended for his exploit to be used on this box. You need to read that article very carefully, look at all the pictures carefully, read the exploit line-by-line carefully, understanding what everything does, why he’s doing it, etc. Then do everything manually. I’ve talked to 10+ people in this thread about the box, as well as read almost every comment in the thread and I don’t think anyone has used the CVE exploit itself to login/get a shell.

@Banjo9117 GET is a verb. What is the opposite of GET in this specific case?

Type your comment> @antim4g3 said:

Anybody have an issue with the CVE script? Always get error like this

IndexError: list index out of range

token = soup.findAll(‘input’)[3].get(“value”)

As discussed in the comments of the blog-post, this may work better: token = soup.find('input', {'name': 'blahblahtoken'}).get('value')

Can anyone message me to share how they escalated from w**-d*** shell? I went straight to root and im curious how others got user and root hashes.

Finally rooted. Stuck at getting rev shell for 2 days. My advice don’t go with CVE, after reading what it is doing, do it manually while keeping an eye on what chars are allowed. Then craft your command accordingly. Thanks to creator of this machine. It was fun

This one hit me right on the confidence. Thanks for the challenge.

Type your comment> @SullyInATX said:

@sqw3Egl @antim4g3 I don’t think the zero day finder/author of the CVE/box creator intended for his exploit to be used on this box. You need to read that article very carefully, look at all the pictures carefully, read the exploit line-by-line carefully, understanding what everything does, why he’s doing it, etc. Then do everything manually. I’ve talked to 10+ people in this thread about the box, as well as read almost every comment in the thread and I don’t think anyone has used the CVE exploit itself to login/get a shell.

@Banjo9117 GET is a verb. What is the opposite of GET in this specific case?

Thanks @SullyInATX this issue is i cant find /c*******, is it a case of crafting a particular request from one of the other pages to get the name of the directory

Type your comment> @Banjo9117 said:

Type your comment> @SullyInATX said:

@sqw3Egl @antim4g3 I don’t think the zero day finder/author of the CVE/box creator intended for his exploit to be used on this box. You need to read that article very carefully, look at all the pictures carefully, read the exploit line-by-line carefully, understanding what everything does, why he’s doing it, etc. Then do everything manually. I’ve talked to 10+ people in this thread about the box, as well as read almost every comment in the thread and I don’t think anyone has used the CVE exploit itself to login/get a shell.

@Banjo9117 GET is a verb. What is the opposite of GET in this specific case?

Thanks @SullyInATX this issue is i cant find /c*******, is it a case of crafting a particular request from one of the other pages to get the name of the directory

There are approximately 301 routes to the destination you’re looking for.

hi, first forum post here…I think i need an extra nudge for this box. who’s available for a pm? i dont want to spoiler my progress so far…im trying to bypass restrictions to rce…my shell should be picking up a connection, but isnt. when I modify things manually, it seems to export ok (as long as i untick the debug)

Well, i thought i knew a couple of things about ethical hacking…but as my mom said when she enrolled me in school - and i’m paraphrasing - “i bring a talking donkey”. Boy, i don’t know s$%t at all!! I’ve dirbuste’d my way with a small dictionay, found the /m********* but im stuck at the login page…tried to xhydra my way in, httpfuzz’d the thing but nothing…Can anyone shed me some light on what to do next? I’m definitely eager to learn!

Spoiler Removed