Wall

After a week and a half on this thing, I finally rooted it. Let’s just say that the exploit that was supposedly the center point of this box, isn’t really all that useful (though the concept is). I went really deep down that rabbit hole and almost never came out. Until one day I said, screw it, lets do something else. For the first part of the box, I found @argot comment quite useful. Then it 's more enumeration until you reach c******. Really get to know what the application in the box has to offer cause you never know when it will become useful. The biggest hint I can give for privesc is to throw an enum script at it and see what pops out. It should be straightforward afterwards.

Got the c******* credentials and cannot get further. I have no clue what people mean by using a “cheese” route to a user shell, so I am still trying to make the obvious CVE exploit to work with reverse engineering. Figured out I get a 403 response every time when I run the script and I have no clue how to get around this.

If you want to help, please DM me. Much appreciated!

So I’ve found c*******, and I found the authenticated RCE and modified it to get the default creds but like @SpongySystems, I am getting blocked (403) any help would be greatly appreciated.

Hints for creating a reverse shell on the Wall (summary):

  • do not use the public exploit code directly but read the article and use the admin interface to test your “code”,
  • do not use the default poller, duplicate it and used that new one so that you can avoid the situation that another user modifies the default one,
  • test which characters and “words” are filtered by WAF rules (and causes 403 response),
  • it is important to put proper “separator” character(s) to the end of your code,
  • if the popular application cannot support a useful switch, you can google how to use it to do the same work without that switch,
  • if you want to use “forbidden” characters, you may use some encoding combined with decoding.

I finally got the reverse shell as w******* earlier this week. Would anyone be willing to give me a hint for the next step? It’s supposed to be obvious, but I’ve been looking at the output of enumeration scripts and doing manual enumeration and nothing sticks out to me.

Okay, I’m very confused. I have modified the exploit to BF c*******, making sure to get a new CSRF token at each attempt. I get 403’s certain characters and certain words, so each time, I have to modify the list to replace the character or word. Shouldn’t this work? Do I have to use p****or to BF it? I’m really starting to hate this box.

Could someone please give me a hint for privesc from w*******. I enumerated and don’t see anything that really jumps out

You can easily spot the vulnerability using one of the well-known privilege escalation checks. It will be useful if you know which files have some special “attribute” in a typical Linux environment.

Can anyone help me, I have managed to get all the sites etc, I have the CVE, I have used Hydra and got credentials however they don’t seem to be working? I cannot seem to see where I have gone wrong.

Spoiler Removed

Finally Rooted. Here’re my hints:

Initial hole:

  1. Enumeration is the very beginning step before doing anything.
  2. Try to use some different wordlist and you’ll find the door(1).
  3. The door(1) (Hint: What a teacher do in an exam) seems to be closed. Try to use some other METHOD to enter and find the door(2).
  4. Google is your best friend. It can give you the CVE. However you cannot use the script directly to break the door(2), you need to modify it to find the keys.
  5. Inside the wall, you need to modify the script to bypass some censorships. Try harder, and then, you enter the room.

User/ROOT:

  1. Basic enumeration will show you something odd. Google it.
  2. Root dance.

Honestly, PE in the WALL was rather annoying, because I thought it should have been something tricky. However, it’s stupidly simple and easy. All you need is just to enumerate some basic information and google it. The first result is the key?‍♂️

For the newbies like me who don’t know how to find the c******* page and who don’t understand the “verb” hint.

Look for “web enumeration with c****” on google. You’ll find a wait to try to login to the m********* page with the c*** command. The answer is in the message you get back.

at least that’s how i found the page.

I got C****** and the password, but nothing seems to work. I’ve tried so many different shell combinations, and I can get over the Apache restrictions fairly easily, but nothing works. I give up. time to wait for the write up.

Finally rooted! @bumika thanks a lot for your last comment. I was going around in circles and your post helped me focus my search. Once you know where to look the path to root is quite simple. The first part, not so much. My advice would be to keep it simple. I lost a lot of time over complicating things.
This was fun and I learned a ton. Big thanks to the box creator!

Went directly from w****** to root. Will try the way from w****** → user → root soon.

PM for advices and little nudges :wink:

Hi

I’ve been trying to spawn reverse shell using the well known exploit. Seems the exploit is working properly and I’m getting the token & login is successful, but I’m unable to listen it. Is there something missing in the exploit which needs to be added? Any help would be appreciated. Thanks in advance.

Greetings to all ,

I’ve found m*****.php , p**** .php, a***.php , while m****.php asking for credential it seems like it has .htaccess and so far no luck . any hint would be appriciated.

Regards

Rooted! took me a while but it’s basic.
Hint: forget the CVE there are easier ways to root the machine understand the program and it will make things a whole lot easier especialy with the first shell.
Root you will know when you see it use enum scripts thorougly Thanks @XMA

Hello. Im found c*******. Use patator for brute with rockyou.txt this and have a lot of 403 and 200 responces (450 000+, patator working). CVE script on upload payload have responce “bad session”. On c******** i use documentation default user and password, but it’s not working. Where am i wrong? Plese help, my first machine.

It is worth checking why the response code changes…