Wall

1141517192027

Comments

  • can someone please dm me how to priv esc from w**-d*** i have the shell enumerated too but got nothing except one uncracking hash

  • Can someone nudge me with getting the payload to work? I know there is some security solution sitting there and tried few obfuscations but could not get the shell to run.

    Arrexel

  • Rooted this morning. Pretty interesting for my first box. Went straight from w**-d*** shell to root.

    Some vague hints:
    If you are having trouble with the payload, maybe find a way to see how it's going wrong. Once I remembered a trick to do that, crafting the correct payload for a shell was way easier.
    As for root, as others have said, just follow good enumeration practices, there is definitely something that stands out that's quick and easy to exploit.

    Feel free to DM for slightly less vague hints.

  • edited October 2019

    I am really stuck at the payload to obtain the first shell. I know how to bypass restrictions, I know how to trigger the RCE with burp or from the web gui, but yet I cannot get any of the reverse shells I tried or ping myself. Any help would be appreciated.

    Edit: I think I finally got it, it might be that if you create your own po***r instead of the default you need to have certain settings on it for it to be vulnerable.

  • Hey guys! Enjoying working through this box with you all.

    I'm currently stuck at the c******* cred stage... Have tried modifying the CVE to try common password lists against a root, admin etc usernames with no luck. Any nudges?

    I'm thinking that I should maybe have a go at Hydra again, although I couldn't set the arguments correctly to avoid false positives previously. Thanks!

  • edited October 2019

    This was my first active box, took me many days but I finally got it! It took reading every post in this thread, and tons of google and some much needed help from @grxsec and @mattva01 when I felt like I had exhausted all options.

    For the brute forcing, it should be really easy, so if it isn't then that means you aren't doing something quite right.

    If you search there is a blog post by askar about the initial exploit, go over it in detail and you can learn to how it works and you'll be able to do it manually, then it's a matter of figuring out what you can use and what you can't. If something doesn't work, see if there is a different way to do the same thing.

    I had no experience with privesc and for me it was hard because I didn't know what was supposed to jump out. In the end it was really helpful because I learned a lot while failing because I tried a ton of things. So keep that in mind, when you are frustrated and can't figure out what to do. Just focus on one thing, maybe its a program you don't know how to use but you think might help, maybe it's a term you've seen mentioned but you arent that sure what it is or how it works, maybe its a CVE that looks like it might work. Take that one thing and google it and learn about it and how to use it or apply it, and remember that even if it ends up not working, you still learned something and that will eventually pay off even if it doesn't this time.

    Thanks for all the help, and thanks for a great box, I learned more on this one than the half a dozen others I've done with walkthroughs.

    Hilbert

  • edited October 2019

    Interesting box, got there in the end. Getting an initial shell was the harder part for sure.

    Thanks to the creator.

  • Spoiler Removed

  • I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of ro**u* and someone even hinted that the username was a***n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I'm just gonna sleep on it.

    Blaudoom

  • Type your comment> @blaudoom said:

    I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of ro**u* and someone even hinted that the username was a***n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I'm just gonna sleep on it.

    try removing bad characters

  • Type your comment> @Bl4nkSh3ll said:

    Type your comment> @blaudoom said:

    I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of ro**u* and someone even hinted that the username was a***n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I'm just gonna sleep on it.

    try removing bad characters

    Thanks, that was a new one for me. I thought that was part of a form-encoding.

    Blaudoom

  • Finally rooted this dude.
    User was very hard for me as it was my first machine, i spent entire week on refining RCE script and asked for help from my senior.
    For root just read the @Bl4nkSh3ll comment.

  • Finally rooted as well, thanks for the hints !

    triki

  • Friggin finally. Wow. Tips:

    Foothold: Dirbuster wont help you get every directory, listen to your teachers. The CVE is a good "resource." Encryption might help you in the long run.

    User/Root:
    What's the sketchiest looking thing in your enum?

    Thanks everybody for all of the hints! Always a good time piecing everything together.

  • @blaudoom, I'm not getting HTTP response "400 Bad Parameters" for any of the r*****u creds.. all I seem to be getting is 200, and 403 when I manually submit some other guesses

  • Hi All, Managed to get the web UI or Burp to talk back to me, base on the command I gave. But I could not get any further.

    I have tried to get the shell by establishing a connection using all kind of n****t way. At some point, It did say connected from 10.10.10.157 but no response for any input.

    Whatever I put to the connection will display in the response in UI/Burp after interrupting the connection(e.g. ls; will display as ls;).

    ...Am I on the right track?

  • edited October 2019

    Type your comment> @lmal said:

    @blaudoom, I'm not getting HTTP response "400 Bad Parameters" for any of the r*****u creds.. all I seem to be getting is 200, and 403 when I manually submit some other guesses

    If you just get 200, you should check the responses. Maybe consider if you are sending the logins to the right place.

    Blaudoom

  • @blaudoom thanks for responding. I found the api page so I'm now submitting the requests to the right url I think (getting Response [403] "Bad Credentials now.. progress? haha). Unfortunately my test usernames and the r*****u list has given me nothing but 403...

    I'm under the impression that the "Bad Characters" nudge refers to the cve exploit and not the c******* creds?

  • Type your comment> @lmal said:

    @blaudoom thanks for responding. I found the api page so I'm now submitting the requests to the right url I think (getting Response [403] "Bad Credentials now.. progress? haha). Unfortunately my test usernames and the r*****u list has given me nothing but 403...

    I'm under the impression that the "Bad Characters" nudge refers to the cve exploit and not the c******* creds?

    As per my post few comments back, I got stuck on that too. They apply to this phase.

    Blaudoom

  • Finally got it. First machine rooted and took way longer than it should, but a good learning experience.

  • Finally Rooted. Learned a few things on this box.
    Feel free to PM me if you're stuck or need help !

    Hack The Box
    Pm me and tell me what you already have and where are you stuck. Feel free to give me some respect if I helped you !

  • tough one. Loved the journey

  • PM for nuggets

  • I dont know if I should be angry at the machine or myself. The priv-esc exploit itself was straight forward, but atleast for me, I got triggered by so many things on the server, that I went on several wild goose chases. and had to ask for pointers. tbh, all these things are new to me, been playing here only for like a month or so.

    Blaudoom

  • edited October 2019

    Fixed, Deleted.

  • I finally got initial shell and root on this box last night. Initial shell is the hardest part and can be nearly impossible depending on the method that you are using. HINT: You can use the exploit script to get some useful things from your system.

    lowpriv

  • Type your comment> @blaudoom said:

    I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of ro**u* and someone even hinted that the username was a***n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I'm just gonna sleep on it.

    username An not an

  • @mrojz said:
    Type your comment> @blaudoom said:

    I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of ro**u* and someone even hinted that the username was a***n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I'm just gonna sleep on it.

    username A***n not a***n

  • Got credentials to C****** but not sure what to change in the CVE script. Can someone give me a nudge? So close...

  • Thanks @blaudoom. Still struggling with the c******* creds (Im pretty sure the wordlist/range that has been hinted at doesn't even contain the bad characters referenced previously? Unless I'm missing something). Just getting a heap of 403s currently (not the "Forbidden" page)

Sign In to comment.