Wall

Is there a way to login to the UI of the server? I think i found the PW but keep getting 403 Forbidden in browser and burp.

Can anyone point me in the right direction please?

Type your comment> @Fr3nZy said:

Is there a way to login to the UI of the server? I think i found the PW but keep getting 403 Forbidden in browser and burp.

Can anyone point me in the right direction please?

Yes, if you can’t log in to the UI then you likely don’t have the right password after all. I would recommend checking for what your script is doing, perhaps there’s some bad characters in there.

Well, at the end of the day: rooted!

You can definitely privesc to root right away but I have to say it was fun to go to user following the path the box creator developed.

Getting back to this after more than 25 years is quite funny.

The ‘wall’ is giving me a really hard time trying to go around it. Executing the exploit by hand leads to a nice error in the UI and using other things in the UI unrelated to p*****s lead to nowhere except getting WARNING or CRITICAL yelled back at me.

Appreciate any hint :slight_smile:

–EDIT–
Nevermind, got the shell.

Can anyone help me with bruteforcing C******? I’ve had hydra running rockyou.txt for a few hours with no luck. I’ve seen talk about a CVE, but it doesnt seem to be necessary, as people have said they bruteforced it. Hints and straight up help are welcome.

Aaaand rooted! Couple of hints below.

User: there’s more than one way to get a shell, one of them is probably unintended and way more easy than the one everybody and their neighbor is trying.

Root: enumerate, you’ll see something really strange right away.

Can someone PM me an actual hint to this asinine box without talking about English teachers please? First step and already this is disgustingly CTF.

Type your comment> @ZeWanderer said:

Can anyone help me with bruteforcing C******? I’ve had hydra running rockyou.txt for a few hours with no luck. I’ve seen talk about a CVE, but it doesnt seem to be necessary, as people have said they bruteforced it. Hints and straight up help are welcome.

I’m stuck here too. I’m getting the right response when I’m testing by hand, but I have no luck with hydra. Can someone please PM me a hint on this?

Some tips on bypassing this WAF would be helpful. I’ve reverse-engineered the exploit and figured out why it’s failing and also how to execute it manually, but I can only execute basic commands because the WAF stops everything else. Any tips? PM appreciated!

Managed to log in to /c****** attempted to run CVE but unable to get it to work. Giving up soon

i got root. thank a lot to @Pratik & @lahirukkk !!! . anyone know user account plase share me~

I got root eventually as well. I greatly look forward to the official writeup for Wall explaining how the ■■■■ one is supposed to get that CVE exploit to work through the WAF; I reverse-engineered it and was able to leverage it to execute basic commands, but the WAF kept me from anything useful enough for a shell, even when I attempted to leverage the REST API. Very frustrating. In the end I got a shell through an (I believe) unintended route.

PM for hints.

Type your comment> @euclydian said:

It feels like cheating but there’s an easier way to get a shell on this machine than the CVE if you have the creds.

Ooh can you give me a hint. This box is so frustrating

Not sure what I am doing wrong. I am using a modified version of the CVE script and while I am able to POST to the place and can see the string in the GUI I still can’t get it to execute. Any hint would be really appreciated!

Type your comment> @acetum said:

Not sure what I am doing wrong. I am using a modified version of the CVE script and while I am able to POST to the place and can see the string in the GUI I still can’t get it to execute. Any hint would be really appreciated!

See the name of the box and wonder what it could mean :stuck_out_tongue:

Thanks @Ruri , I’ll do some reading on Walls :smiley:

Edit: I’m not over the wall yet, but at least the error messages are more interesting…

Type your comment> @acetum said:

Thanks @Ruri , I’ll do some reading on Walls :smiley:

I should rephrase; if you can see the command string in the gui and it doesn’t execute when you manually execute it, that’s because there’s an issue with your command string, likely because you’re injecting into a command string that has arguments you can’t control. Notice the “#” at the end of the nc line in the original exploit; that’s to comment out the rest of the line.

The “Wall” is referring to what is causing that “Forbidden” message I’m sure you’ve seen a number of times.

Oooowwww my freakin’ Lord…

Ok, i have a*., p*.*** and /m*********/ …
I tried sooooo many wordlists to find the 4th hidden directory/file to no avail !
Can you pleaaaaase provide a hint for that ?!? It will be my first box on HTB… ^^

@paps same for me :frowning:

Rooted. Interesting final path, I have a sneaking suspicion I used something that wasn’t intentionally there? Happy to discuss over PM. Was an interesting challenge and I certainly learnt a lot!