Json

Type your comment> @j4v40n654n said:

Type your comment> @daedalusx said:

For someone who’s completed user: Can you PM and potentially compile for me? I have a WinVM and looks like it runs fine, but get errors with the site d****ing my input. Willing to explain quickly where I am so you know I’m this far… Not sure if it’s just my VM

You do not need a WinVM, these can be craft by hand. When I was sending my payload, it keeps erroring out, and I was not watching my output terminals so I thought it was not working. So watch your return terminal and give it 2-3 minutes to response.

Yeah, for some reason there must’ve been some extra characters in my output that was messing up the payload…finally got it working and just finished root :slight_smile:

Did anyone managed to crack the Fz* S*****.xml salted hash to root the box ? If so, let me know (struggling with the synthax due to the length of the salt).

Also if anyone have a nudge on how to privesc my way to root, I would be glad to hear it, I’m kinda stuck.

Thanks !

I’m having trouble with the payload, can anyone dm me?

Type your comment> @AlPasta said:

Did anyone managed to crack the Fz* S*****.xml salted hash to root the box ? If so, let me know (struggling with the synthax due to the length of the salt).

Also if anyone have a nudge on how to privesc my way to root, I would be glad to hear it, I’m kinda stuck.

Thanks !

hc wont work with that salt, you can use jtr. However, I don’t think that’s the way for privesc.

.

I think I’m a bit lost on:

  • how to choose the payload among all the options
  • how to pass it to the target
    I got a general idea of what should be done but I’m failing to understand how people can get rce so easily

Check the format the message you’re using and you will reduce a lot the possibilities.
Check the version of asp.net running and you’ll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
I’d never before use it but its amazing to see it works (and how).

There are good readings following the tool repo.
Very nice step in.
:slight_smile:

Type your comment> @dlh61 said:

Check the format the message you’re using and you will reduce a lot the possibilities.
Check the version of asp.net running and you’ll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
I’d never before use it but its amazing to see it works (and how).

There are good readings following the tool repo.
Very nice step in.
:slight_smile:

Thank you.
I’m having issues using powershell: I cannot connect back to my machine, not sure why.
I can download from my machine in a different way but I haven’t tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

Type your comment> @halfluke said:

Type your comment> @dlh61 said:

Check the format the message you’re using and you will reduce a lot the possibilities.
Check the version of asp.net running and you’ll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
I’d never before use it but its amazing to see it works (and how).

There are good readings following the tool repo.
Very nice step in.
:slight_smile:

Thank you.
I’m having issues using powershell: I cannot connect back to my machine, not sure why.
I can download from my machine in a different way but I haven’t tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

location, location, location…

Type your comment> @j4v40n654n said:

Type your comment> @halfluke said:

Type your comment> @dlh61 said:

Check the format the message you’re using and you will reduce a lot the possibilities.
Check the version of asp.net running and you’ll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
I’d never before use it but its amazing to see it works (and how).

There are good readings following the tool repo.
Very nice step in.
:slight_smile:

Thank you.
I’m having issues using powershell: I cannot connect back to my machine, not sure why.
I can download from my machine in a different way but I haven’t tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

location, location

got it directly in memory. Decently painful, lol

Great!
You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available.

Type your comment> @dlh61 said:

Great!
You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available.

I started with a ping but from a ping to a shell there is a long way.
It also all depends on what protection is activated on the target and how you can bypass it, if an AV prevents you from writing to disk and execute, etc. Not sure in this case as I do not have full access to the machine yet. Overall every box here is a great learning experience. D**********n is a tough topic for me as I don’t know/like java or .net

Nice box, I wasn’t familiar with the involved technologies and took me more than I expected, and that’s the way to learn.

Great!
You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available. > @halfluke said:

Type your comment> @dlh61 said:

(Quote)
I started with a ping but from a ping to a shell there is a long way.
It also all depends on what protection is activated on the target and how you can bypass it, if an AV prevents you from writing to disk and execute, etc. Not sure in this case as I do not have full access to the machine yet. Overall every box here is a great learning experience. D**********n is a tough topic for me as I don’t know/like java or .net

You can try a 2 step movement such as putting in some common writable place a common tool for next getting a rev shell back to you! :wink:
Great work BTW.

This server is horrible slow

And finally I get a super fast, and all worked like a charm

rooted.

PM for nugets

Almost there i think but struggling with the final step with the vegetable, any one else get “Failed to start HTTP server” errors with this and have any pointers ?
Believe I know the reason why (port is in use) but not how to get around it… PS version looks to have a work around but can’t get the PS module to run … :frowning:

edit: got there, over thinking it as ever

I don’t understand: I get in the website using the “maybetoomuchsimple” credentials… Is that a honeypot? Because those creds are apparently unuseful…

Type your comment> @BadRain said:

I don’t understand: I get in the website using the “maybetoomuchsimple” credentials… Is that a honeypot? Because those creds are apparently unuseful…

In the right place, keep looking at the requests and responses as you browse the site… remember the name of the box also…

Ok, I give … I am able to log in and I know where I need to aim my attack, but I am not having much luck with the POC tool. One of the payloads keeps giving me an error, and I could really use some help getting it to run through cleanly and verifying where I am aiming, etc. If anyone can give me some guidance, I would really appreciate it. Please DM me and I can show what I have and what errors I am getting.

**Edit: thought I had it, but I guess I don’t … any help would still be appreciated!