Wall

1192022242527

Comments

  • Rooted. Man, I have mixed feelings about this box. On the one hand there were some parts of this that were needlessly/unrealistically annoying, like the 403 errors during the user portion. On the other hand I learned some things and found new ways around filters because of this box.

  • edited November 2019

    Can some give me a tip/PM for implementation of the priv escalation. I think I am on the right way. But the sticky cve thing don't let me pop a root shell. When I try to reverse shell I can't redirect stdin/out for known reasons.

  • Type your comment> @cr0ssbon3s said:

    Rooted. Man, I have mixed feelings about this box. On the one hand there were some parts of this that were needlessly/unrealistically annoying, like the 403 errors during the user portion. On the other hand I learned some things and found new ways around filters because of this box.

    Any hint to avoid the 403 on the user phase (m*.g.p**)?

    BadRain

  • Finally rooted ! . i have gain the knowledge on Cen****n and WAF filters.

    Thank you guys for providing the hints @r0xas and @zachosk

  • edited November 2019

    The previous comment was meant for the postman box, sorry about that. I hope I didn't throw anyone off. My previous post has nothing to do with this box at all. Here - http://urfsecurity.info/posts/linuxprivesc/ please remove if this is a spoiler.

    Huejash0le

  • I've already modified many times the script, the standard one didn't get the right token. But requests to m+++.g++.p++ always get 403.

    BadRain

  • edited November 2019

    NVM got it. First time it didn't work.... PM me if you need help.

  • İ found c**** , now should I brute Force ? Hint me pls

  • Thanks to @askar for a great box. Learned a lot.

  • Guys, getting the reverse shell is pain, found the CVE exploit and modified it but still cant get response in my ncat listener, im totally stuck. help me please.

  • edited November 2019

    I just uploaded a new version of the exploit on Github. It should make debugging and editing the script less painful.

    Can't post the link here b/c spoilers, but it should be easy to find if you know what you're looking for.

    Hack The Box

  • Overall, I really didn't like this machine. It was all about the things I hate most in CTF.

    Negatives:

    • Lame CTF tricks to find foothold (i.e. what you do at m********g)
    • Web-app brute-forcing. It might not take long to crack but it's still a pain that doesn't really add much to the machine.
    • Sloppy exploit code. Unfortunately this is realistic, but I hate when exploits don't use functions, or aren't written for readability, or have hard-coded values that make the code break easily.
    • Unrealistic defense. In this case, it seems like the app's defense is written specifically to make using the exploit a pain. Realistically, I think an admin who knows about this exploit would update to a version that's not vulnerable. I also think the 403 code is misused and deliberately misleading, but admittedly an admin trying to prevent an exploit wouldn't want to help attackers debug...
    • As soon as you get in, it's over.

    Positives:

    • Learn patience and debugging
    • Classic OSCP privesc.

    Hack The Box

  • Type your comment>

    @GetGetGetGet said:
    Overall, I really didn't like this machine. It was all about the things I hate most in CTF.

    +1

    Priv esc. to root was the same as on a retired machine. Overall, the machine was a pain.

    k4wld
    Discord: k4wld#5627

  • Does anyone have websites/resources explaining why the "VERB" hint works? Seems like a purely CTF trick, but curious if this is really a common vulnerability in the wild, and also why it works.

  • edited November 2019

    Type your comment> @reedsee said:

    Does anyone have websites/resources explaining why the "VERB" hint works? Seems like a purely CTF trick, but curious if this is really a common vulnerability in the wild, and also why it works.

    It is an artificial configuration option and I think there is no System Administrator on the Earth who chooses it.

    bumika

  • edited November 2019

    Finally I managed to get a shell. Any hint to get from w**-**** to s****y ?
    edit
    rooted :)

    BadRain

  • Can someone PM me a hint? i have discovered the m...php a...php and p...php page but i don't know how can i bypass or login in m...

  • edited November 2019
    Help in c********* cardinals
    Found it but I don't know it relation between it and the ctf
    Thanks @LoRKa
    Now am in editing cve exploit to get shell
  • edited November 2019

    Type your comment> @Meise said:

    Can someone PM me a hint? i have discovered the m...php a...php and p...php page but i don't know how can i bypass or login in m...

    I've decrypted the b****4 hash and I get some credentials, but I don't know how to pass it in m*********

    edit: I think those are wrong credentials... you all say that there is a page named c***...

    edit2: done, I have the login page. I was so dumb.

  • ok have php shell but the s.....h is not working shuts down after fist line
    it is the right version but keeps failing
    i am in a rwx dir. please advice

    madhack
    If you need help with something, PM me how far you've got already, what you've tried etc.
    Discord: MadHack#6530

  • Type your comment> @argot said:

    Type your comment> @n4sa said:

    Completely stuck here with just a*.php, p****.php, m*********, s*****-******.

    @argot can you give us another hint? lol

    So, I figure there are two ways to get this. "Very good OSINT skills" or VERBS.

    English teachers can be very good at monitoring their class. Often times, if you use the wrong verb, they wont let you go. If you use different VERBS, maybe they'll let you go or at the very least they'll be more talkative.

    There are lots of verbs in the dictionary, but really you only need to know, like, six of them. Especially when trying to get a foothold.

    thanks for the tip!

    SIG

  • So while trying to get user (trying to add p****** or h*******), I am getting a lot of Forbidden (on m*****.g******.p*****). Is this meant to happen?! I'd appreciate some guidance!

    SIG

  • Type your comment> @0X44696F21 said:

    So while trying to get user (trying to add p****** or h*******), I am getting a lot of Forbidden (on m*****.g******.p*****). Is this meant to happen?! I'd appreciate some guidance!

    I'm in the same situation, trying to find a way around

    rootmotus

  • can some one hint regarding rooting this wall . I've treid screen local previleged but fail. PM for a hint

  • edited November 2019

    now the script is not working. just dies. what's going on guys?
    for 3 day no problems getting first shell now even after reset nothing????
    same script same all. And yes i have changed my ip in the script.
    did it a couple of time already. grrrr

    madhack
    If you need help with something, PM me how far you've got already, what you've tried etc.
    Discord: MadHack#6530

  • Never mind got a shell thanks to the web apps working now on privesc :)

    rootmotus

  • Rooted !

    User was hard for me (I succeeded with and without the exploit but it was haaard)
    PM me if you're stuck I'll be happy to help you.

    Root is so easy it takes 5 min max.

    Hack The Box

  • edited November 2019

    Alright, rooted ! this is my first box :D

    To get the right page'

    1. The common thing that did by the teacher for their student during exam. A right script to enumerate the page will help you.

    The user'

    1. this is easy' this is very common actually you don't need to brute force it. but if you experience difficulty there's a right wordlists.

    The shell'

    1. CVE > but it will not work easily you need to modify it to get the shell

    Privilege Escalation'

    1. CVE > Remember ippsec's website will give you help, just do a good enumeration after you get in to the shell, if you found an interesting thing based on your enumeration just use it to search term.

    Thanks to @Kaligero and @GetGetGetGet

  • Type your comment> @anguzmar said:
    > Man that was painful, took me ages to get the first shell to work, and then the machine was crashing every few minutes so I had to redo the process over and over again.
    >
    > After getting shell, the exploit to get root wasn't working either and was throwing a very obscure error. Turns out the issue has to do with leftovers from windows.
    >
    > A few pointers:
    >
    > * Forget the CSRF token, use the API.
    > * First CVE: Print the result of your requests. If you get 403, there is a reason for it.
    > * Second CVE (privesc): Basic enumeration, it stands out pretty quick. If you use vim set ff=unix.

    Noobs question, but....when using Burp, i can see which page gives us a "403". But how do you ask the pyhon script to print the result of each command on screen?
  • edited November 2019

    Finally after a long working , rooted the box .

    Thanks to you guys :
    @jrgdiaz
    @r0xas
    @stoffern
    @beorn

    Regards

Sign In to comment.