Wall

Fixed, Deleted.

I finally got initial shell and root on this box last night. Initial shell is the hardest part and can be nearly impossible depending on the method that you are using. HINT: You can use the exploit script to get some useful things from your system.

Type your comment> @blaudoom said:

I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.

username An not an

@mrojz said:
Type your comment> @blaudoom said:

I guess I could just keep going, but its frustrating. I have tried rocking the /c***** login api with common usernamelists. People here keep saying that its in the beginning of rou* and someone even hinted that the username was a*n, but no luck. Reading from the API documentation, getting 403 Bad Credentials instead of 400 Bad Parameters should indicate that I am using the api correctly. If someone wishes to give me a hint, pls do. otherwise I’m just gonna sleep on it.

username A***n not a***n

Got credentials to C****** but not sure what to change in the CVE script. Can someone give me a nudge? So close…

Thanks @blaudoom. Still struggling with the c******* creds (Im pretty sure the wordlist/range that has been hinted at doesn’t even contain the bad characters referenced previously? Unless I’m missing something). Just getting a heap of 403s currently (not the “Forbidden” page)

Nevermind, I’m an idiot (+ a n00b). If anyone is stuck at the same step as me, make sure to print out ALL your output and have a think about any potential characters that may be sent if you’re automating the process.

So i’m a little stuck. I have found the /c******* login page, and the exploit to go along with it, but I can’t get the credentials for login. I’ve been trying with Hydra for a while but to no avail. Any help would be appreciated!

Cheers.

@CanadianBacon I couldnt get Hydra to work. Modifying the exploit to “brute-force” the login was how I went about it. Make sure to look up the centreon api and check what responses you are getting back from the page on each attempt.

Type your comment> @lmal said:

Thanks @blaudoom. Still struggling with the c******* creds (Im pretty sure the wordlist/range that has been hinted at doesn’t even contain the bad characters referenced previously? Unless I’m missing something). Just getting a heap of 403s currently (not the “Forbidden” page)

How does a script know what is a single word in a wordlist?

I’m struggling finding this c******* page. Cannot find it with gobuster/dirb and am not getting the verb/teacher hint. Can someone PM me pls

@lmal

@lmal said:
@CanadianBacon I couldnt get Hydra to work. Modifying the exploit to “brute-force” the login was how I went about it. Make sure to look up the centreon api and check what responses you are getting back from the page on each attempt.

Totally understand the frustration! If hydra doesn’t work for you, maybe easier to get rid of “useless” part in the CVE. And brute-force on a smaller customized username list and subset of the r*****u? And like many people hinted the credentials(both username and password) are very basic and should take very less time. Hope this is not spoiling the challenge.

Also can someone kindly hint me the first shell? 3 days on this, I can get my local machine to reflect a shell to the other terminal, but the same payload hangs(no response after success connection) after injecting to target.

While at the login page, I tried some very default creds manually and it seemed to work immediately. However, while trying to bruteforce it, those creds dont work (+ not any other creds from wordlists). What could have happened here? Can anybody check that the creds still work?

Can someone give me a nudge with getting the first shell? I have the default creds and can access manually.

Banging my head on getting the first shell.
Examined deeply the CVE script and correctly mapped the p***** i*. Checked it was working using the default executable parameters. Encoded the payload but I always get a not found response from the server.
It is definitely driving me nuts.
Actually also verified the command existence and path from another section of the UI without success.
I am definitely overthinking this part.
Any nudge to help me sorting this out?
Any PM greatly appreciated!

@pdefermat - I’m in exactly the same boat. I’ve been trying all such ways monitoring BS for the results. I just keep getting not found error. Ive tried creating the another p****r and encoding use different enc types - but the same thing. I’ve also tried variants of the usual reverse shell method but all with the same not found. I’ve made sure Im putting the %23 at the end of the entry in n********n:
Any help would be most appreicated.
I thought I understood the CVE code and what it was doing but I am starting to lose the will to live on this one!
Any help is much appreciated

Type your comment> @mousebladder said:

@pdefermat - I’m in exactly the same boat. I’ve been trying all such ways monitoring BS for the results. I just keep getting not found error. Ive tried creating the another p****r and encoding use different enc types - but the same thing. I’ve also tried variants of the usual reverse shell method but all with the same not found. I’ve made sure Im putting the %23 at the end of the entry in n********n:
Any help would be most appreicated.
I thought I understood the CVE code and what it was doing but I am starting to lose the will to live on this one!
Any help is much appreciated

Exactly the same situation I am in. I am clearly missing something…

for those having trouble with the command, try mapping stde** to to stdo** in your exploit. I suspect I know the problem most of you are having with your command, and that should surface it. Feel free to DM if you need a bit more guidance.

Feel free to report as spoiler if that is too big a hint.

I found the pw for c******n by bruteforcing the PAI, got the coin but I do not know the exact syntax for sending the payload to the api, I still get unauthorized while trying to add the coin into the headers.

I’d appreciate some guidance, will give respect +. Feel free to hit me up on telegram, I like that chat platform a lot @antharaslair.

Is anyone able to nudge me in the right direction?