Wall

1181921232427

Comments

  • Type your comment> @XMA said:

    Rooted.

    I don't know why people is trying to get a shell by the hardest way trying to fix and run that exploit, there is a far easier method to get into without any exploit. This box was so strange, I got w******* shell so easy but I stuck so much in getting to root. I think privesc is not that easy. If you are really stuck in privesc see Haircut privesc walkthrough

    Could you give any hint to get the crendentials for the c******* login , or any other method to get the w******* shell please

  • Type your comment> @djiloubluehat said:

    Type your comment> @XMA said:

    Rooted.

    I don't know why people is trying to get a shell by the hardest way trying to fix and run that exploit, there is a far easier method to get into without any exploit. This box was so strange, I got w******* shell so easy but I stuck so much in getting to root. I think privesc is not that easy. If you are really stuck in privesc see Haircut privesc walkthrough

    Could you give any hint to get the crendentials for the c******* login , or any other method to get the w******* shell please

    Get the credentials and get the first shell are different parts and each one can be worked out by different ways. I just can say that I got the credentials fuzzing with ZAP, you just have to know to set up your ZAP with csrf-token environments. And then once logged in I got the shell in a simple way thru the admin panel. I didn't use any exploit at all in both processes

  • edited November 2019

    EDIT: Rooted. It's staring you in the face.

  • I really liked this machine, I don't understand the qualifications. If you are starting with the wall, take out burp and enjoy.

  • edited November 2019

    nvm got it

  • edited November 2019

    any nudge on user? I am in the config for my p***** and setting the b***** to any command to get a shell is giving 403.
    I thought I got a good command for shell that saved but when trying to execute it fails. Missing something..

    got it. Wow that took a lot of trial and error but finally got my www-data shell
    priv esc was pretty easy after basic enum. Kept missing it so had to re-read my enum results to many times.

  • Lmfaooo the public exploit can only unleash the beast, you have to manually feed it in the interface.

  • Just rooted this!

    finding the /c****** was a whole challenge

    thanks to @Chantal2019 and @ReapeRRR for the help :)

  • edited November 2019

    currently stuck with /p****.*** , /m*********/ and a*.*** , any tips? Which dict did your guys use for discovery c******* ?

  • stuck with c***** , api call hit with 403 :/ any other way to get the password . hydra failed to get the credential.

  • Type your comment> @kmahyyg said:

    currently stuck with /p****.*** , /m*********/ and a*.*** , any tips? Which dict did your guys use for discovery c******* ?

    • work on /m*****
    • Understanding the HTTP requests and try to modify the requests.

    too much hint---> capture all the requests--> before , after, current.

    Note: Dont get frustated or carried away. try all the methods, thats how you learn it.

  • Type your comment> @eight said:

    Type your comment> @kmahyyg said:

    currently stuck with /p****.*** , /m*********/ and a*.*** , any tips? Which dict did your guys use for discovery c******* ?

    • work on /m*****
    • Understanding the HTTP requests and try to modify the requests.

    too much hint---> capture all the requests--> before , after, current.

    Note: Dont get frustated or carried away. try all the methods, thats how you learn it.

    Thank you. Currently stuck on bypass WAF on /cxxxxxxxx 's api call, which must filtered some keywords.

  • So I have dirb'ed, gotten back a few hits, one of which prompted something strange... but not to be punny, kind of at a wall. New to this, very green, and not sure how to proceed next. Any advice?

  • any one bypass the waf and get sucessfull reverse shell? pm hint plz

  • Type your comment> @SullyInATX said:

    I'm a complete beginner at this, although I do have 15+ years of IT/networking experience (sysadmin). Trying to change fields. I was able to discover all of the files/directories. I've read every comment on every page for this box - I'm definitely an over-thinker. I would prefer to brute-force the login, even though it's said it is not needed (just for practice). I've tried Hydra, wfuzz and Burp. I can't get Burp to receive a response in the proxy listener; the login prompt appears immediately, unlike a normal login page. Would someone be so kind as to help steer me in the right direction? Maybe I'm using Hydra, wfuzz and Burp wrong, although I've used them before (but only while following Ippsec's videos) and, especially with Burp, semi-know what I'm doing. PMs today greatly appreciated!

    check the api docs for authentication through the api. its not working with those tools because there is a csrf token in a hidden input that you have to read and send along with the post data. but you don't have to do any of that with the api

  • I found a way to get into c****** page and found the credentials using brute force...
    But when I try to access the ma**.***.*** i get redirected to the login page.
    Can some one give me a nudge on how to get past it.
    I also think that this is the reason for the CVE not working (cause i couldn't get the CSRF token because of redirection)

  • wow !!! I understand why so many people are frustrated with this box
    Getting a shell was a pain and so many rabbit holes
    ROOTED the easy way..

    DM me if you need help.

  • Hi i've been stuck on the wall too much. i have discovered **.php, p****.php, /m*********/ and /c*******/. So i have a web login page, of a vulnerable web app that require to be authenticated to exploited.
    Any suggest? please it is so frustrating ....

  • Finally ROOTED ! :D

    I wouldn't have succeeded without some help for modify the CVE c****** to got the first shell.
    (Thx @JadeWolf )

    After, for the privesc you need to find the right exploit.
    DM me if you need help.

  • edited November 2019

    wrongpost

  • PM for Nuggets

    Hack The Box

  • Hi,
    I'm hoping someone can help me?

    I've managed to get into the C******* system and have found the CVE which I have modified to get RCE via both the script or manually through editing in the Web App and using Burp.
    I know the RCE is working as I can ping myself and see request coming back with tcpdump and also read back results of commands i've passed (eg running whoami or ls commands). Whatever i seem to try though I'm not able to get an interactive reverse shell to work using this method. I've tried multiple types but none of them connect back? (I'm guessing due to the same thing that made getting the RCE working difficult)!
    Should I be able to get a reverse shell from here or do i need enumerate further to get a shell?

    TiA

    jaxigt

  • @XsecSploit said:
    Hi,
    I'm hoping someone can help me?

    I've managed to get into the C******* system and have found the CVE which I have modified to get RCE via both the script or manually through editing in the Web App and using Burp.
    I know the RCE is working as I can ping myself and see request coming back with tcpdump and also read back results of commands i've passed (eg running whoami or ls commands). Whatever i seem to try though I'm not able to get an interactive reverse shell to work using this method. I've tried multiple types but none of them connect back? (I'm guessing due to the same thing that made getting the RCE working difficult)!
    Should I be able to get a reverse shell from here or do i need enumerate further to get a shell?

    TiA

    i was able to make a basic interactive by modifying the exploit. basically put the cve exploit into a while loop but thats a far as i have gotten. did you try connecting back to your http server?

  • I am stuck on what to do next. Found the **.p and p*****.php and /m********. Is there something else im missing???

  • Rooted. Thanks to @lmal for the hints.

    Feel free to PM me for tips.

    Hack The Box

  • ok found c******* but did not get in to m********
    do i need to get in there first because the cve ask for creds?

    madhack
    If you need help with something, PM me how far you've got already, what you've tried etc.
    Discord: MadHack#6530

  • Type your comment> @coolZero1473 said:

    I am stuck on what to do next. Found the **.p and p*****.php and /m********. Is there something else im missing???

    try testing what you found with request methods other than GET

  • @madhack said:
    ok found c******* but did not get in to m********
    do i need to get in there first because the cve ask for creds?

    i was able to brute force the password, others are saying that isn't necessary, id like to know how they did it

  • I managed to get user, but unsure how to escalate to root now..

  • edited November 2019

    .

    BadRain

Sign In to comment.