Hi All, Managed to get the web UI or Burp to talk back to me, base on the command I gave. But I could not get any further.
I have tried to get the shell by establishing a connection using all kind of n****t way. At some point, It did say connected from 10.10.10.157 but no response for any input.
Whatever I put to the connection will display in the response in UI/Burp after interrupting the connection(e.g. ls; will display as ls;).
@blaudoom, I’m not getting HTTP response “400 Bad Parameters” for any of the r*****u creds… all I seem to be getting is 200, and 403 when I manually submit some other guesses
If you just get 200, you should check the responses. Maybe consider if you are sending the logins to the right place.
@blaudoom thanks for responding. I found the api page so I’m now submitting the requests to the right url I think (getting Response [403] "Bad Credentials now… progress? haha). Unfortunately my test usernames and the r*****u list has given me nothing but 403…
I’m under the impression that the “Bad Characters” nudge refers to the cve exploit and not the c******* creds?
@blaudoom thanks for responding. I found the api page so I’m now submitting the requests to the right url I think (getting Response [403] "Bad Credentials now… progress? haha). Unfortunately my test usernames and the r*****u list has given me nothing but 403…
I’m under the impression that the “Bad Characters” nudge refers to the cve exploit and not the c******* creds?
As per my post few comments back, I got stuck on that too. They apply to this phase.
I dont know if I should be angry at the machine or myself. The priv-esc exploit itself was straight forward, but atleast for me, I got triggered by so many things on the server, that I went on several wild goose chases. and had to ask for pointers. tbh, all these things are new to me, been playing here only for like a month or so.
I finally got initial shell and root on this box last night. Initial shell is the hardest part and can be nearly impossible depending on the method that you are using. HINT: You can use the exploit script to get some useful things from your system.
I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.
I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.
Thanks @blaudoom. Still struggling with the c******* creds (Im pretty sure the wordlist/range that has been hinted at doesn’t even contain the bad characters referenced previously? Unless I’m missing something). Just getting a heap of 403s currently (not the “Forbidden” page)
Nevermind, I’m an idiot (+ a n00b). If anyone is stuck at the same step as me, make sure to print out ALL your output and have a think about any potential characters that may be sent if you’re automating the process.
So i’m a little stuck. I have found the /c******* login page, and the exploit to go along with it, but I can’t get the credentials for login. I’ve been trying with Hydra for a while but to no avail. Any help would be appreciated!
@CanadianBacon I couldnt get Hydra to work. Modifying the exploit to “brute-force” the login was how I went about it. Make sure to look up the centreon api and check what responses you are getting back from the page on each attempt.
Thanks @blaudoom. Still struggling with the c******* creds (Im pretty sure the wordlist/range that has been hinted at doesn’t even contain the bad characters referenced previously? Unless I’m missing something). Just getting a heap of 403s currently (not the “Forbidden” page)
How does a script know what is a single word in a wordlist?