Wall

The previous comment was meant for the postman box, sorry about that. I hope I didn’t throw anyone off. My previous post has nothing to do with this box at all. Here - http://urfsecurity.info/posts/linuxprivesc/ please remove if this is a spoiler.

I’ve already modified many times the script, the standard one didn’t get the right token. But requests to m+++.g++.p++ always get 403.

NVM got it. First time it didn’t work… PM me if you need help.

İ found c**** , now should I brute Force ? Hint me pls

Thanks to @askar for a great box. Learned a lot.

Guys, getting the reverse shell is pain, found the CVE exploit and modified it but still cant get response in my ncat listener, im totally stuck. help me please.

I just uploaded a new version of the exploit on Github. It should make debugging and editing the script less painful.

Can’t post the link here b/c spoilers, but it should be easy to find if you know what you’re looking for.

Overall, I really didn’t like this machine. It was all about the things I hate most in CTF.

Negatives:

  • Lame CTF tricks to find foothold (i.e. what you do at m********g)
  • Web-app brute-forcing. It might not take long to crack but it’s still a pain that doesn’t really add much to the machine.
  • Sloppy exploit code. Unfortunately this is realistic, but I hate when exploits don’t use functions, or aren’t written for readability, or have hard-coded values that make the code break easily.
  • Unrealistic defense. In this case, it seems like the app’s defense is written specifically to make using the exploit a pain. Realistically, I think an admin who knows about this exploit would update to a version that’s not vulnerable. I also think the 403 code is misused and deliberately misleading, but admittedly an admin trying to prevent an exploit wouldn’t want to help attackers debug…
  • As soon as you get in, it’s over.

Positives:

  • Learn patience and debugging
  • Classic OSCP privesc.

Type your comment>

@GetGetGetGet said:
Overall, I really didn’t like this machine. It was all about the things I hate most in CTF.

+1

Priv esc. to root was the same as on a retired machine. Overall, the machine was a pain.

Does anyone have websites/resources explaining why the “VERB” hint works? Seems like a purely CTF trick, but curious if this is really a common vulnerability in the wild, and also why it works.

Type your comment> @reedsee said:

Does anyone have websites/resources explaining why the “VERB” hint works? Seems like a purely CTF trick, but curious if this is really a common vulnerability in the wild, and also why it works.

It is an artificial configuration option and I think there is no System Administrator on the Earth who chooses it.

Finally I managed to get a shell. Any hint to get from w**-**** to s****y ?
edit
rooted :slight_smile:

Can someone PM me a hint? i have discovered the m…php a…php and p…php page but i don’t know how can i bypass or login in m…

Help in c********* cardinals
Found it but I don’t know it relation between it and the ctf
Thanks @LoRKa
Now am in editing cve exploit to get shell

Type your comment> @Meise said:

Can someone PM me a hint? i have discovered the m…php a…php and p…php page but i don’t know how can i bypass or login in m…

I’ve decrypted the b4 hash and I get some credentials, but I don’t know how to pass it in m*****

edit: I think those are wrong credentials… you all say that there is a page named c***…

edit2: done, I have the login page. I was so dumb.

ok have php shell but the s…h is not working shuts down after fist line
it is the right version but keeps failing
i am in a rwx dir. please advice

Type your comment> @argot said:

Type your comment> @n4sa said:

Completely stuck here with just a*.php, p****.php, m*********, s*****-******.

@argot can you give us another hint? lol

So, I figure there are two ways to get this. “Very good OSINT skills” or VERBS.

English teachers can be very good at monitoring their class. Often times, if you use the wrong verb, they wont let you go. If you use different VERBS, maybe they’ll let you go or at the very least they’ll be more talkative.

There are lots of verbs in the dictionary, but really you only need to know, like, six of them. Especially when trying to get a foothold.

thanks for the tip!

So while trying to get user (trying to add p****** or h*******), I am getting a lot of Forbidden (on m*****.g******.p*****). Is this meant to happen?! I’d appreciate some guidance!

Type your comment> @0X44696F21 said:

So while trying to get user (trying to add p****** or h*******), I am getting a lot of Forbidden (on m*****.g******.p*****). Is this meant to happen?! I’d appreciate some guidance!

I’m in the same situation, trying to find a way around

can some one hint regarding rooting this wall . I’ve treid screen local previleged but fail. PM for a hint