Wall

I was able to find the 2 php files and the basic auth path. I was only able to find the last API directory trough the tips in the Forum but don’t get why no Scanner, wordlist even brutforce was able to find the c******n path. A quick explaiantion via PM would be nice :slight_smile:

Great box, my tips for user:

  • Focus on askar’s original posts (beginning of thread) about VERBS and think about how they relate to different protocols
  • If you’re at another step, think about how to DEBUG non-working scripts
  • Read k1llswitch’s post above and also consider different delivery methods

The tips for user direct to root are basically spot on: It’s “basic Linux enumeration” as people kept calling it. I’m new to this so it was really tough for me (it took me several hours, no lie) but, once I found it, I was in two seconds later

I didn’t figure how to escalate from www-data to reading user.txt without root but that seems common to others’ experiences. I think I’ve identified one way to go from (what I presume is the next step) → root but I’m not sure how to get there

Thank’s @askar !

please send PM if you want to help me with c*******, im a beginner

If anyone can nudge me towards exploiting once logged in, that’d be ace. I’ve got a reasonable way through but struggling at actually getting the reverse shell.

@JonnyGill said:
If anyone can nudge me towards exploiting once logged in, that’d be ace. I’ve got a reasonable way through but struggling at actually getting the reverse shell.

I’m on the same phase can someone DM with help. Thanks

Lovely box this one. Sadly had to change VPN a few times because some people DOS the web application. As other has said if it takes too long it most likely isn’t working. Abort and rethink your approach. Also why use a prebuilt tool when you have the chance to do some coding on your own?

Anyway I went for the user flag and do recommend it, I learned a lot. Thank you!

Type your comment> @flexbert said:

Lovely box this one. Sadly had to change VPN a few times because some people DOS the web application. As other has said if it takes too long it most likely isn’t working. Abort and rethink your approach. Also why use a prebuilt tool when you have the chance to do some coding on your own?

Anyway I went for the user flag and do recommend it, I learned a lot. Thank you!

Any hint plz pm .

Finally bypass http basic auth :smiley: of /m************* and got c********* panel . If any one still stuck to get c*************** panel then I would love to help him out. Not unlike other in forum who said pm for hint then no reply back from them :frowning: . Sharing is caring.

Regards

Type your comment> @XMA said:

Rooted.

I don’t know why people is trying to get a shell by the hardest way trying to fix and run that exploit, there is a far easier method to get into without any exploit. This box was so strange, I got w******* shell so easy but I stuck so much in getting to root. I think privesc is not that easy. If you are really stuck in privesc see Haircut privesc walkthrough

Could you give any hint to get the crendentials for the c******* login , or any other method to get the w******* shell please

Type your comment> @djiloubluehat said:

Type your comment> @XMA said:

Rooted.

I don’t know why people is trying to get a shell by the hardest way trying to fix and run that exploit, there is a far easier method to get into without any exploit. This box was so strange, I got w******* shell so easy but I stuck so much in getting to root. I think privesc is not that easy. If you are really stuck in privesc see Haircut privesc walkthrough

Could you give any hint to get the crendentials for the c******* login , or any other method to get the w******* shell please

Get the credentials and get the first shell are different parts and each one can be worked out by different ways. I just can say that I got the credentials fuzzing with ZAP, you just have to know to set up your ZAP with csrf-token environments. And then once logged in I got the shell in a simple way thru the admin panel. I didn’t use any exploit at all in both processes

EDIT: Rooted. It’s staring you in the face.

I really liked this machine, I don’t understand the qualifications. If you are starting with the wall, take out burp and enjoy.

nvm got it

any nudge on user? I am in the config for my p***** and setting the b***** to any command to get a shell is giving 403.
I thought I got a good command for shell that saved but when trying to execute it fails. Missing something…

got it. Wow that took a lot of trial and error but finally got my www-data shell
priv esc was pretty easy after basic enum. Kept missing it so had to re-read my enum results to many times.

Lmfaooo the public exploit can only unleash the beast, you have to manually feed it in the interface.

Just rooted this!

finding the /c****** was a whole challenge

thanks to @Chantal2019 and @ReapeRRR for the help :slight_smile:

currently stuck with /p****.*** , /m*********/ and a*.*** , any tips? Which dict did your guys use for discovery c******* ?

stuck with c***** , api call hit with 403 :confused: any other way to get the password . hydra failed to get the credential.

Type your comment> @kmahyyg said:

currently stuck with /p****.*** , /m*********/ and a*.*** , any tips? Which dict did your guys use for discovery c******* ?

  • work on /m*****
  • Understanding the HTTP requests and try to modify the requests.

too much hint—> capture all the requests–> before , after, current.

Note: Dont get frustated or carried away. try all the methods, thats how you learn it.

Type your comment> @eight said:

Type your comment> @kmahyyg said:

currently stuck with /p****.*** , /m*********/ and a*.*** , any tips? Which dict did your guys use for discovery c******* ?

  • work on /m*****
  • Understanding the HTTP requests and try to modify the requests.

too much hint—> capture all the requests–> before , after, current.

Note: Dont get frustated or carried away. try all the methods, thats how you learn it.

Thank you. Currently stuck on bypass WAF on /cxxxxxxxx 's api call, which must filtered some keywords.