Wall

I know this box is called wall for a reason cuz there is a wall we need to get past, but ive tried to identify this wall with a couple of methods and both say there is no wall, so im a little confused…yay or nay?

Fixed the script and got inside
Both Root & User are same searchsploitable exploit

Rooted. Funny box but it wasn’t easy for me. PM if need help

If anyone created their shell manually through the UI please pm me,im new to this, but i would like to take a stab at it and i have a few questions regarding pollers that the docs lack info…cheers

I can definitely use some hint about bruteforcing the password in c*******.

I wrote my script, and it’s “almost” working. Everytime it looks like it found a password, it’s in fact some character in the password that breaks the form and gives 403 (I found two characters that if they are in the password I get 403).

At this point I’m not even sure I’m trying with the correct username…

Type your comment> @Fl4st3r said:

Hello fellow hackers!
What did everyone use to get creds for c******** ? BurpSuite takes forever, and Hydra comes back with false positives. If anyone has any resources, please pm me! Thank you!
Happy hacking!

google goes on a date with github and they have a baby, look for that baby…sorry if it spoils

PM me if u stuck

Can someone please PM me with the script/tool that everyone used to get the creds for c******?

Rooted,
too much time for inital shell

Got my rev shell as w**-d***, stuck at privesc. Found that the S*** bit is set for the /b**/c**n executable, but I don’t know if I’m going in the right direction. PM me if you got some time to spare ! Thanks.

Got user and root :slight_smile: The hardest part for the was getting the initial shell. I don’t know if I got the user and root the correct way and would like to discuss it with somebody.

Got the Shell, but does not do anything. NetCat not the right tool for this?

If anyone could pm me with a hint about the initial shell that would be great. I have confirmed that I have successful rce but I cannot get a shell for the life of me.
Edit: Never mind I have figured it out

can anyone help with login creds, i tried brute force of the api but i getting nowhere.

Spoiler Removed

So finished up finally.

Those struggling to get the credentials for the app - just a heads up I had made my own Script to query the API for user credentials and it straight up did NOT work. I adapted a script from the exploit you should use which does the same function which also threw false negatives… I ended up just trying stuff manually one at a time. if you looked through the admin docs for the product, you’ll know the username is one of two things. then just try super easy passwords. You’ll hit it eventually.

Once you’re in. If you’re struggling with Code Execution via the exploit (like I was initially) a few things - it is very important to follow the execution of the exploit to see what is happening. Use packet capture tools to see what is happening when you send data to the server. There is a reason why it doesn’t work. Understand what the exploit is actually doing. Review the code to see what steps it is performing. Once you get it, you won’t need to run the exploit anyway. You could script something that works 10x better.

Once code execution is in place, for the life of me could not get a reverse shell sent to my machine (i think this may be due to the fact I was sometimes supplying the wrong IP address…but I digress) but in any case who says you have to? At least initially, there are other ways you could interact with the server to make your life easier.

Don’t really need to provide hints, once you have a stable shell, do the usual enumeration for root and its obvious.

Good job, Askar. I’ll go bang my head against a wall now. (Y)

Thank you @askar for an awesome box.
I learned a lot!
And also a big thank you too @YaSsInE who helped me a lot.

Can I get a nudge on the RCE script, for the life of me I cannot get the shell to work, something is escaping me :frowning:

Type your comment> @virtualgoth said:

Use packet capture tools to see what is happening when you send data to the server. >There is a reason why it doesn’t work. Understand what the exploit is actually doing. >Review the code to see what steps it is performing. Once you get it, you won’t need to >run the exploit anyway. You could script something that works 10x better.

This is confusing, I get the CVE code needs “fixed” based on the comments, but as best I can tell, from walking through it with burp or just manually typing everything in the GUI, the script is fine, it’s a server side setting that’s preventing the payload, which can be replicated by just copying and pasting the payload in the GUI, you get the same error (based on the characters). Unless I’m missing something. I don’t see how you would script something 10x better, it’s just posting the same data you could enter in manually. I can’t figure out how to get anything to just work, even something simple like ping, which makes troubleshooting difficult.

What I don’t get, is how you kick it off if you use the GUI. I get the post to that special page in the CVE script, but I can’t find that in the GUI.

Type your comment> @falqon said:

Type your comment> @virtualgoth said:

(Quote)
This is confusing, I get the CVE code needs “fixed” based on the comments, but as best I can tell, from walking through it with burp or just manually typing everything in the GUI, the script is fine, it’s a server side setting that’s preventing the payload, which can be replicated by just copying and pasting the payload in the GUI, you get the same error (based on the characters). Unless I’m missing something. I don’t see how you would script something 10x better, it’s just posting the same data you could enter in manually. I can’t figure out how to get anything to just work, even something simple like ping, which makes troubleshooting difficult.

What I don’t get, is how you kick it off if you use the GUI. I get the post to that special page in the CVE script, but I can’t find that in the GUI.

maybe try encoding…i hope thats not a spoil?