Wall

can someone please dm me how to priv esc from w**-d*** i have the shell enumerated too but got nothing except one uncracking hash

Can someone nudge me with getting the payload to work? I know there is some security solution sitting there and tried few obfuscations but could not get the shell to run.

Rooted this morning. Pretty interesting for my first box. Went straight from w**-d*** shell to root.

Some vague hints:
If you are having trouble with the payload, maybe find a way to see how it’s going wrong. Once I remembered a trick to do that, crafting the correct payload for a shell was way easier.
As for root, as others have said, just follow good enumeration practices, there is definitely something that stands out that’s quick and easy to exploit.

Feel free to DM for slightly less vague hints.

I am really stuck at the payload to obtain the first shell. I know how to bypass restrictions, I know how to trigger the RCE with burp or from the web gui, but yet I cannot get any of the reverse shells I tried or ping myself. Any help would be appreciated.

Edit: I think I finally got it, it might be that if you create your own po***r instead of the default you need to have certain settings on it for it to be vulnerable.

Hey guys! Enjoying working through this box with you all.

I’m currently stuck at the c******* cred stage… Have tried modifying the CVE to try common password lists against a root, admin etc usernames with no luck. Any nudges?

I’m thinking that I should maybe have a go at Hydra again, although I couldn’t set the arguments correctly to avoid false positives previously. Thanks!

This was my first active box, took me many days but I finally got it! It took reading every post in this thread, and tons of google and some much needed help from @grxsec and @mattva01 when I felt like I had exhausted all options.

For the brute forcing, it should be really easy, so if it isn’t then that means you aren’t doing something quite right.

If you search there is a blog post by askar about the initial exploit, go over it in detail and you can learn to how it works and you’ll be able to do it manually, then it’s a matter of figuring out what you can use and what you can’t. If something doesn’t work, see if there is a different way to do the same thing.

I had no experience with privesc and for me it was hard because I didn’t know what was supposed to jump out. In the end it was really helpful because I learned a lot while failing because I tried a ton of things. So keep that in mind, when you are frustrated and can’t figure out what to do. Just focus on one thing, maybe its a program you don’t know how to use but you think might help, maybe it’s a term you’ve seen mentioned but you arent that sure what it is or how it works, maybe its a CVE that looks like it might work. Take that one thing and google it and learn about it and how to use it or apply it, and remember that even if it ends up not working, you still learned something and that will eventually pay off even if it doesn’t this time.

Thanks for all the help, and thanks for a great box, I learned more on this one than the half a dozen others I’ve done with walkthroughs.

Interesting box, got there in the end. Getting an initial shell was the harder part for sure.

Thanks to the creator.

Spoiler Removed

I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.

Type your comment> @blaudoom said:

I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.

try removing bad characters

Type your comment> @Bl4nkSh3ll said:

Type your comment> @blaudoom said:

I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.

try removing bad characters

Thanks, that was a new one for me. I thought that was part of a form-encoding.

Finally rooted this dude.
User was very hard for me as it was my first machine, i spent entire week on refining RCE script and asked for help from my senior.
For root just read the @Bl4nkSh3ll comment.

Finally rooted as well, thanks for the hints !

Friggin finally. Wow. Tips:

Foothold: Dirbuster wont help you get every directory, listen to your teachers. The CVE is a good “resource.” Encryption might help you in the long run.

User/Root:
What’s the sketchiest looking thing in your enum?

Thanks everybody for all of the hints! Always a good time piecing everything together.

@blaudoom, I’m not getting HTTP response “400 Bad Parameters” for any of the r*****u creds… all I seem to be getting is 200, and 403 when I manually submit some other guesses

Hi All, Managed to get the web UI or Burp to talk back to me, base on the command I gave. But I could not get any further.

I have tried to get the shell by establishing a connection using all kind of n****t way. At some point, It did say connected from 10.10.10.157 but no response for any input.

Whatever I put to the connection will display in the response in UI/Burp after interrupting the connection(e.g. ls; will display as ls;).

…Am I on the right track?

Type your comment> @lmal said:

@blaudoom, I’m not getting HTTP response “400 Bad Parameters” for any of the r*****u creds… all I seem to be getting is 200, and 403 when I manually submit some other guesses

If you just get 200, you should check the responses. Maybe consider if you are sending the logins to the right place.

@blaudoom thanks for responding. I found the api page so I’m now submitting the requests to the right url I think (getting Response [403] "Bad Credentials now… progress? haha). Unfortunately my test usernames and the r*****u list has given me nothing but 403…

I’m under the impression that the “Bad Characters” nudge refers to the cve exploit and not the c******* creds?

Type your comment> @lmal said:

@blaudoom thanks for responding. I found the api page so I’m now submitting the requests to the right url I think (getting Response [403] "Bad Credentials now… progress? haha). Unfortunately my test usernames and the r*****u list has given me nothing but 403…

I’m under the impression that the “Bad Characters” nudge refers to the cve exploit and not the c******* creds?

As per my post few comments back, I got stuck on that too. They apply to this phase.

Finally got it. First machine rooted and took way longer than it should, but a good learning experience.