Json

2456710

Comments

  • edited September 2019

    So far, I've spent more time setting up a Windows VM just to DO THIS BOX than I have actually working on the box itself. Not sure if this is intended or not, but I spent the last 8 hours trying to figure out how to do it in Linux and it doesn't work.

    If anyone has any hints for bypassing this, PLEASE feel free to reach out. I'm on the verge of insanity and really not enjoying myself, lol.

    Edit: I figured out how to do it on Linux. But Jesus Christ, that was not a fun ride. Moving forward with this knowledge now though.

    What a learning experience that was.


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • found the two endpoints as others have mentioned been messing around with ys****al, couldn't get it to generate on kali so used my windows box really not sure if this is the right way to go.

    Do i mix cereal with biscuits or keep stringing along :/

  • i think this is "one" way...i tooked it too. wine/cross compiling was a bit too time consumption for me

  • edited September 2019

    Rooted. Mixed feelings, didn't enjoy it much. Learned something new though. Thanks to the creator!

    My two cents:

    User: Read the source, find A******, play with B*****. Spawn a free Windows VM, you'll need it!
    Root: Vegetable (easy). Didn't explore another path.

  • edited October 2019

    Got the token, tried to modify it to trigger SSTI because one of the parameters reflected on the webpage in a funny manner, got nothing out of it. People mentioning ys******* and I don't understand how do you get to that point, what's the link between this machine and ys*******? I see no evidence whatsoever to even think about using ys*******.

    So yeah, I'm lost :P

  • Spoiler Removed

  • I tried different payloads and none of them gets to code execution, is this the right way?

  • Awesome box! I’m potato on windows so this box definitely taught me a lot.
  • edited October 2019

    Nice box, forced me to learn thing or two about Windows privesc. I got user fast (after I realized that there MUST be space after -n in MS ping...) and then I spent much more time on figuring out how to cook vegetable.

  • The non-vegetable way to root feels easier to me, more straight forward.

    limbernie
    My write-ups of retired machines | Discord - limbernie#0386

  • Did someone use the tool POC tool "yso.......net". Is that the right way?

  • edited October 2019

    Type your comment> @supercop89 said:

    Did someone use the tool POC tool "yso.......net". Is that the right way?

    Yeap, thats what i used!

  • edited October 2019

    Removed

  • Got root. The trickiest part of this for me was formatting my payload. Happy to help if anyone needs a nudge
  • edited October 2019

    Very good machine, thank you to the creator of the box for his work. :)

    User:

    • The user part is relatively simple, and do your research well, you will need a special tool to create your payload. The name of the box gives a good clue to continue your way.

    Root:

    • There is an interesting program you need to understand (FTP). Try to understand how the program works, and read the functions that will allow you to decipher the information.

    If you have any questions, do not hesitate to contact me. ;)

  • Finally got there!

    User: Cookies and Cereal ...yummy! best off making your cereal on a windows box though :P

    Root: plain vegetable although for those unfamiliar like myself ensure you use the right OS variable

  • edited October 2019
    I am creating the payload and I have no problems with "formatting" but I can't seem to get past other errors. Tried both of the payloads offered by the tool.

    Edit: The cause of my problem was that I used the tool's encoding function. It doesn't work if I encode the payload that way but weird enough it works if I encode it with Burp. Wat?
  • Can anyone give me some suggestions on what source to read on? I think I get the idea, understand the tools that you guys are using, but just don't understand how it fits in here... How could you pass the json data to the server, and why will it be interpreted in that way? Thanks for the help!

  • edited October 2019

    I was able to get command execution on the target but I'm not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

    Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

  • @gomeznap said:
    I was able to get command execution on the target but I'm not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

    Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

    Try Meterpreter!

  • edited October 2019

    Type your comment> @x000 said:

    @gomeznap said:
    I was able to get command execution on the target but I'm not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

    Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

    Try Meterpreter!

    Thanks for the comment!

    I tried a couple different meterpreter payloads and they never connect back to the exploit handler. Is the anything special I have to do on a windows machine to run the executable once its dropped on there or should I just be able to run it with a command like "payload.exe"?

    Edit: Got User thank you to @argal and @dr0ctag0n for the help!

  • edited October 2019

    edited

  • why not use powershell in memory payloads #empire?
  • Sorry for my last message.. it seems i can't delete it..
    So,
    I'm just a step before gomeznap i guess: I've managed to execute dos command and ping my IP with the help of ys******t. and... that's all.
    I can't manage to execute powershell (and, by the way i know, can't upload/download file).
    Did I miss something ?
    I've tried to launch powershell with "-c", doesn't seems to work. I've even tried to modifiy ys*****t in order to execute powershell in place of cmd.
    Well i'm bit lost.

    Does anyone has a clue to where i can search/test further ? PM

  • Type your comment> @gomeznap said:

    Type your comment> @x000 said:

    @gomeznap said:
    I was able to get command execution on the target but I'm not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

    Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

    Try Meterpreter!

    Thanks for the comment!

    I tried a couple different meterpreter payloads and they never connect back to the exploit handler. Is the anything special I have to do on a windows machine to run the executable once its dropped on there or should I just be able to run it with a command like "payload.exe"?

    sometimes, especially with blind RCE like this box, it helps to create some random folder somewhere on the remote machine to save it to in order to make sure that you have correct permissions. I tried my payload several times from typical directories and it wouldn't work until i created a newC:\tmp folder with a mkdir command before sending the file. I think it was preventing me from outputting into the directory but without a shell you can't see the errors or if the file is created.

    You should be able to run it by just sending the full path as a command. for example C:\tmp\payload.exe

  • edited October 2019

    If anyone rooted the box via FTP decipher method please PM me.i an able to root via this potato method only.
    If anyone need assistance let me know.i will be happy to help .

  • WOW Excelent Box. I Really enjoied

    my hints

    1) User: Play with headers and read the forum
    2) Root: I did with a clasic windows explotation. Couldn't take the other way, I don't know why

    Love it

  • Rooted. I did what seemed like the "easier" priv esc... I need to go back and try the other. Wonder if the former was intended.

    If anyone needs a nudge, feel free to PM me.

  • Type your comment> @offsecin said:

    If anyone rooted the box via FTP decipher method please PM me.i an able to root via this potato method only.
    If anyone need assistance let me know.i will be happy to help .

    Same here. I'd like to know if it was possible or just a rabbit hole. I used the more straightforward method after a lot of time trying the other option.

  • Root was nice, really liked the f** part

    v1ew-s0urce.flv
Sign In to comment.