Wall

Hi All, Managed to get the web UI or Burp to talk back to me, base on the command I gave. But I could not get any further.

I have tried to get the shell by establishing a connection using all kind of n****t way. At some point, It did say connected from 10.10.10.157 but no response for any input.

Whatever I put to the connection will display in the response in UI/Burp after interrupting the connection(e.g. ls; will display as ls;).

…Am I on the right track?

Type your comment> @lmal said:

@blaudoom, I’m not getting HTTP response “400 Bad Parameters” for any of the r*****u creds… all I seem to be getting is 200, and 403 when I manually submit some other guesses

If you just get 200, you should check the responses. Maybe consider if you are sending the logins to the right place.

@blaudoom thanks for responding. I found the api page so I’m now submitting the requests to the right url I think (getting Response [403] "Bad Credentials now… progress? haha). Unfortunately my test usernames and the r*****u list has given me nothing but 403…

I’m under the impression that the “Bad Characters” nudge refers to the cve exploit and not the c******* creds?

Type your comment> @lmal said:

@blaudoom thanks for responding. I found the api page so I’m now submitting the requests to the right url I think (getting Response [403] "Bad Credentials now… progress? haha). Unfortunately my test usernames and the r*****u list has given me nothing but 403…

I’m under the impression that the “Bad Characters” nudge refers to the cve exploit and not the c******* creds?

As per my post few comments back, I got stuck on that too. They apply to this phase.

Finally got it. First machine rooted and took way longer than it should, but a good learning experience.

Finally Rooted. Learned a few things on this box.
Feel free to PM me if you’re stuck or need help !

tough one. Loved the journey

PM for nuggets

I dont know if I should be angry at the machine or myself. The priv-esc exploit itself was straight forward, but atleast for me, I got triggered by so many things on the server, that I went on several wild goose chases. and had to ask for pointers. tbh, all these things are new to me, been playing here only for like a month or so.

Fixed, Deleted.

I finally got initial shell and root on this box last night. Initial shell is the hardest part and can be nearly impossible depending on the method that you are using. HINT: You can use the exploit script to get some useful things from your system.

Type your comment> @blaudoom said:

I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.

username An not an

@mrojz said:
Type your comment> @blaudoom said:

I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.

username A***n not a***n

Got credentials to C****** but not sure what to change in the CVE script. Can someone give me a nudge? So close…

Thanks @blaudoom. Still struggling with the c******* creds (Im pretty sure the wordlist/range that has been hinted at doesn’t even contain the bad characters referenced previously? Unless I’m missing something). Just getting a heap of 403s currently (not the “Forbidden” page)

Nevermind, I’m an idiot (+ a n00b). If anyone is stuck at the same step as me, make sure to print out ALL your output and have a think about any potential characters that may be sent if you’re automating the process.

So i’m a little stuck. I have found the /c******* login page, and the exploit to go along with it, but I can’t get the credentials for login. I’ve been trying with Hydra for a while but to no avail. Any help would be appreciated!

Cheers.

@CanadianBacon I couldnt get Hydra to work. Modifying the exploit to “brute-force” the login was how I went about it. Make sure to look up the centreon api and check what responses you are getting back from the page on each attempt.

Type your comment> @lmal said:

Thanks @blaudoom. Still struggling with the c******* creds (Im pretty sure the wordlist/range that has been hinted at doesn’t even contain the bad characters referenced previously? Unless I’m missing something). Just getting a heap of 403s currently (not the “Forbidden” page)

How does a script know what is a single word in a wordlist?

I’m struggling finding this c******* page. Cannot find it with gobuster/dirb and am not getting the verb/teacher hint. Can someone PM me pls