Smasher2

easy :slight_smile:

Look what we have here. I’m glad the bruteforce part was removed

Did anyone do user the intended way? I couldn’t find the “real” vulnerability. Would someone enlighten me? Disclaimer: I rooted the box.

Segfault is killing me! xD

I’m ashamed to say that I might need a nudge on user. I have tried everything I could think of but have been unable to crack the beverage container.

Can I have a hint on the directory? I’ve tried dirb with every wordlist I know of, on HTML and PHP, but gotten nothing.

Guys, I got the user using RCE and pe** reverse shell through bt, I didn’t use SSH, but I believe the rooting should be done with ssh, because I found it’s possible to exploit the box using MP exploitation, so I created and copied my pub keys to user dzy/.ssh/authorized_keys, which was successful, but when I try to ssh using "ssh -i id_rsa d****zy@smasher2.htb" the box asking for user password!!, what I’m missing? can anyone hint me, please???

Rooted. That was fun.

hey guys , new comer here , I managed to get the job working but i cannot bypass the WAF , any pointers?

I can’t seem to find the URL for using the credential that I found??

@Aperture32 said:
Can I have a hint on the directory? I’ve tried dirb with every wordlist I know of, on HTML and PHP, but gotten nothing.

Same here… did you find it?

EDIT: Nevermind… investigate port 53 and learn how to use dig.

Type your comment> @Identity404 said:

(Quote)
Same here… did you find it?

EDIT: Nevermind… investigate port 53 and learn how to use dig.

I tried dig and dsenum and gotten up addr and domain name

@nav1n said:
Guys, I got the user using RCE and pe** reverse shell through bt, I didn’t use SSH, but I believe the rooting should be done with ssh, because I found it’s possible to exploit the box using MP exploitation, so I created and copied my pub keys to user dzy/.ssh/authorized_keys, which was successful, but when I try to ssh using "ssh -i id_rsa d****zy@smasher2.htb" the box asking for user password!!, what I’m missing? can anyone hint me, please???

That is weird, I could login via ssh.

Rooted. I really liked this box. learned something new.

Wrote 2 scripts for the intended route for user (or at least w-d) but the server seems to crash if I go to fast with either script. And I don’t think the “grep for c” hint helped. Am I doing it wrong? Can someone PM a hint?

I think, and I could be wrong, but the Grep For C hint was for when there was a basic auth turned on this server (which is now off I hear). You are correct there is something that will stop you from hammering this server with some requests…

Are there any creds in ***.so? It seems like I need them to progress, but nothing.
Edit: Got user, pretty interesting. Now the journey to root.
E2: Thanks to @v1p3r0u5 for sharing the root method. While I wouldn’t have found it on my own, I definitely learnt a lot from the writeups

Just rooted this. what an amazing box! if people need help please contact me on discord since i don’t look here.

i will give the hints that apply to me the most
User: don’t get stuck on reversing that file, it only gives you a limited bit of information. (in 2 parts)
bruteforcing/guessing may be needed, i didn’t expect this from this box. someone had to hint it to me.
Root: i had to go to the library to figure out this one.

Got root. User is good but i don’t like guessing. Root is not brainfuck at all, some unusual enumeration (Thanks @menessim for initial direction) and next step was very easy.

The first Smasher was worth a badge. I feel like this one should have been worth a badge too. Cant wait for Smasher3. I hope that one comes with a badge