Json

Rooted :slight_smile: I was stuck in one place, but @m3ll0 wrote a hint that works :slight_smile: Getting root is super easy with vegi :slight_smile:

Type your comment> @kamgor said:

Rooted :slight_smile: I was stuck in one place, but @m3ll0 wrote a hint that works :slight_smile: Getting root is super easy with vegi :slight_smile:

Ayy nice work :slight_smile:

PM for Nuggets

Hack The Box

Hello! I have done a TON of research on anything that I have found myself unfamiliar with while doing this box and have learned soooo much! I picked this box because JSON hacking is an area I am not comfortable in. However, it seems I still have just enough gaps in my knowledge to not quite understand how to get user.

So far:
Got past login easy
Found /a__/t___ and /a__/a___s
Understand what these are doing
Have mapped out the application and the related services etc
Understand the vulnerability to exploit and how it works
Understand how to craft a payload to exploit the vulnerability

Essentially I feel I can’t seem to understand how to locate where I should be sending my payload, how said vulnerability and attack should be executed in this context, and what to do with the information I have now in order to proceed with this form of attack.

I think everything I need is right in front of me but I can’t put the last pieces of the puzzle together. Any help is greatly appreciated! :slight_smile: I would also be grateful for any resources that may help me educate myself on this subject more! Thanks :stuck_out_tongue:

Hi!

I’m trying to get a little further for a looooong long while now, but im really stuck. So i’m reaching out to you guys.

I know i need to use the Yal.N tool. But i have no idea how to use it and more importantly, where to use it. I’m fuzzing with the /a/t** page and think this is where i have to inject. I also generated a HTTP 500, is this where i can find my info for the serial tool?

Can someone give me a nudge on where to inject and maybe which module to use?
Thank you!

-Edit:
I think i got a little further. I know where to inject. It’s the B***er if i’m not wrong. I got the system to talk back now. Just have to adjust my payload

i am stuck in root . i think i find correct exploit. but there is ID option which can differ depends on OS. I test this id with test script, find one value but still failed.

Edit:
Done. Just needed one more step

I have rooted this machine using a kernel exploit but I am very interested if there is another way (lets say somekind of misconfig). Pm me please in case u know

I have tried all the exploit suggested by the metasploit Windows Exploit Suggester and powershell Sherklock. However, none of it can help privilege escalation. Who can PM me which exploit I can use to do windows privilege escalation?

Finally, rooted. Thanks a lot for the help!

After a nudge for the initial foothold, I’ve found the p******.t** file (think it’s useless) and have tried username enumeration (attempting to get a different http response but to no avail). Not quite sure if i’m looking in the right places

Hi everyone,

Stuck on initial foothold.
General noob question:
Is it correct of me to presume that obtaining the username + password for the logon page is essential before considering sending any form of payloads?

Type your comment> @acidbat said:

Hi everyone,

Stuck on initial foothold.
General noob question:
Is it correct of me to presume that obtaining the username + password for the logon page is essential before considering sending any form of payloads?

Yes, it is.

Type your comment> @bumika said:

Type your comment> @acidbat said:

Hi everyone,

Stuck on initial foothold.
General noob question:
Is it correct of me to presume that obtaining the username + password for the logon page is essential before considering sending any form of payloads?

Yes, it is.

Cheers :slight_smile:

Hi
User: I can ping myself but can not get reverse shell using powershell and DownloadString method please Help me

user: main problem is to do it without installing windows VM
root: took 20 minutes, too easy :frowning:

Hey there,

I have generated a payload using ys#s##al
However when trying to send the payload using burp I get the following message:
{“Message”:“An error has occurred.”,“ExceptionMessage”:“Invalid format base64”,“ExceptionType”:“System.Exception”,“StackTrace”:null}

Bit confusing since the format is base64…

For the inital foothold I managed to create a ping payload which works, but I fail to create a payload that would either give me a rev shell back or transfer files to victim. Can someone give me a nudge on getting the payload right?

UPDATE:
rooted!
User: When constructing the payload, think about special characters.
Root: Nothing really to add here. A lot of hints already here in the forums.

LOST. Just… lost.
Intercepting requests, see the potential attack vector. Not sure how to actually execute it.
Please could someone PM me to discuss… Really stumped with this one.

I have been trying so many things with no luck. Will anyone help me out with the initial foothold? DM me please?

I need a help with the payload ys … net my command line P … shell is a batch command so I could not operate without the “” that are necessary for the batch

solved