Wall

1171820222327

Comments

  • Okay, I'm very confused. I have modified the exploit to BF c*******, making sure to get a new CSRF token at each attempt. I get 403's certain characters and certain words, so each time, I have to modify the list to replace the character or word. Shouldn't this work? Do I have to use p****or to BF it? I'm really starting to hate this box.

  • Could someone please give me a hint for privesc from w*******. I enumerated and don't see anything that really jumps out

  • You can easily spot the vulnerability using one of the well-known privilege escalation checks. It will be useful if you know which files have some special "attribute" in a typical Linux environment.

    bumika

  • Can anyone help me, I have managed to get all the sites etc, I have the CVE, I have used Hydra and got credentials however they don't seem to be working? I cannot seem to see where I have gone wrong.

  • Finally Rooted. Here're my hints:

    Initial hole:
    1. Enumeration is the very beginning step before doing anything.
    2. Try to use some different wordlist and you'll find the door(1).
    3. The door(1) (Hint: What a teacher do in an exam) seems to be closed. Try to use some other METHOD to enter and find the door(2).
    4. Google is your best friend. It can give you the CVE. However you cannot use the script directly to break the door(2), you need to modify it to find the keys.
    5. Inside the wall, you need to modify the script to bypass some censorships. Try harder, and then, you enter the room.

    User/ROOT:
    1. Basic enumeration will show you something odd. Google it.
    2. Root dance.

    Honestly, PE in the WALL was rather annoying, because I thought it should have been something tricky. However, it's stupidly simple and easy. All you need is just to enumerate some basic information and google it. The first result is the key🤦‍♂️

  • edited October 2019
    For the newbies like me who don't know how to find the c******* page and who don't understand the "verb" hint.

    Look for "web enumeration with c****" on google. You'll find a wait to try to login to the m********* page with the c*** command. The answer is in the message you get back.

    at least that's how i found the page.
  • I got C****** and the password, but nothing seems to work. I've tried so many different shell combinations, and I can get over the Apache restrictions fairly easily, but nothing works. I give up. time to wait for the write up.

  • Finally rooted! @bumika thanks a lot for your last comment. I was going around in circles and your post helped me focus my search. Once you know where to look the path to root is quite simple. The first part, not so much. My advice would be to keep it simple. I lost a lot of time over complicating things.
    This was fun and I learned a ton. Big thanks to the box creator!

  • Went directly from w****** to root. Will try the way from w****** -> user -> root soon.

    PM for advices and little nudges ;)

  • Hi

    I've been trying to spawn reverse shell using the well known exploit. Seems the exploit is working properly and I'm getting the token & login is successful, but I'm unable to listen it. Is there something missing in the exploit which needs to be added? Any help would be appreciated. Thanks in advance.

  • Greetings to all ,

    I've found m*****.php , p**** .php, a***.php , while m****.php asking for credential it seems like it has .htaccess and so far no luck . any hint would be appriciated.

    Regards

  • Rooted! took me a while but it's basic.
    Hint: forget the CVE there are easier ways to root the machine understand the program and it will make things a whole lot easier especialy with the first shell.
    Root you will know when you see it use enum scripts thorougly Thanks @XMA

  • Hello. Im found c*******. Use patator for brute with rockyou.txt this and have a lot of 403 and 200 responces (450 000+, patator working). CVE script on upload payload have responce "bad session". On c******** i use documentation default user and password, but it's not working. Where am i wrong? Plese help, my first machine.

  • It is worth checking why the response code changes...

    bumika

  • Recommendations

    already when they have found the necessary credentials the well-known exploit has to be modified to work correctly
    Root / User, they should think like haircut should
    @XMA thanks your comment helped me a lot

  • edited October 2019

    Is there any bugs with machine. I'm doing exactly the same way I did yesterday to get a shell, but wget doesn't reach my localhost by any means for 2 hours

    Edit: sometimes it can take you 2.5 hours to get a shell even if you do everything correctly

  • Guys, I have used a dirbuster to find folder /mo*********** with 401 status code so I nedd to auth to it, what app should I use it to bruteforce this dir?

  • Did anyone find a way to pivot to s***** user ?

    I found the shortcut to root directly but I am curious if there is a way to pivot from w**-**** to user flag first.

    Any tips appreciated.

  • Rooted with simple ui and non CVE exploit :)

  • Finally rooted! Getting user was difficult for me, but I learned a ton about field separators and different ways to write payloads.

    k1llswitch
    "The master has failed more times then the beginner has even tried"

  • edited October 2019

    Well I would love to learn how to crack this box , I appericiate you help via PM. I've tried hydra with rockyou.txt for http digest auth cracking it's taking f***** long still going on. Hope some one give a better hint to move on.

    Regards

  • I was able to find the 2 php files and the basic auth path. I was only able to find the last API directory trough the tips in the Forum but don't get why no Scanner, wordlist even brutforce was able to find the c******n path. A quick explaiantion via PM would be nice :)

  • Great box, my tips for user:

    • Focus on askar's original posts (beginning of thread) about VERBS and think about how they relate to different protocols
    • If you're at another step, think about how to DEBUG non-working scripts
    • Read k1llswitch's post above and also consider different delivery methods

    The tips for user direct to root are basically spot on: It's "basic Linux enumeration" as people kept calling it. I'm new to this so it was really tough for me (it took me several hours, no lie) but, once I found it, I was in two seconds later

    I didn't figure how to escalate from www-data to reading user.txt without root but that seems common to others' experiences. I think I've identified one way to go from (what I presume is the next step) -> root but I'm not sure how to get there

    Thank's @askar !

    subf

  • please send PM if you want to help me with c*******, im a beginner

  • If anyone can nudge me towards exploiting once logged in, that'd be ace. I've got a reasonable way through but struggling at actually getting the reverse shell.

    JonnyGill

  • @JonnyGill said:
    If anyone can nudge me towards exploiting once logged in, that'd be ace. I've got a reasonable way through but struggling at actually getting the reverse shell.

    I'm on the same phase can someone DM with help. Thanks

  • Lovely box this one. Sadly had to change VPN a few times because some people DOS the web application. As other has said if it takes too long it most likely isn't working. Abort and rethink your approach. Also why use a prebuilt tool when you have the chance to do some coding on your own?

    Anyway I went for the user flag and do recommend it, I learned a lot. Thank you!

  • Type your comment> @flexbert said:

    Lovely box this one. Sadly had to change VPN a few times because some people DOS the web application. As other has said if it takes too long it most likely isn't working. Abort and rethink your approach. Also why use a prebuilt tool when you have the chance to do some coding on your own?

    Anyway I went for the user flag and do recommend it, I learned a lot. Thank you!

    Any hint plz pm .

  • Finally bypass http basic auth :D of /m************* and got c********* panel . If any one still stuck to get c*************** panel then I would love to help him out. Not unlike other in forum who said pm for hint then no reply back from them :( . Sharing is caring.

    Regards

Sign In to comment.