So while trying to get user (trying to add p****** or h*******), I am getting a lot of Forbidden (on m*****.g******.p*****). Is this meant to happen?! I’d appreciate some guidance!
I’m in the same situation, trying to find a way around
now the script is not working. just dies. what’s going on guys?
for 3 day no problems getting first shell now even after reset nothing???
same script same all. And yes i have changed my ip in the script.
did it a couple of time already. grrrr
The common thing that did by the teacher for their student during exam. A right script to enumerate the page will help you.
The user’
this is easy’ this is very common actually you don’t need to brute force it. but if you experience difficulty there’s a right wordlists.
The shell’
CVE > but it will not work easily you need to modify it to get the shell
Privilege Escalation’
CVE > Remember ippsec’s website will give you help, just do a good enumeration after you get in to the shell, if you found an interesting thing based on your enumeration just use it to search term.
Man that was painful, took me ages to get the first shell to work, and then the machine was crashing every few minutes so I had to redo the process over and over again.
After getting shell, the exploit to get root wasn’t working either and was throwing a very obscure error. Turns out the issue has to do with leftovers from windows.
A few pointers:
Forget the CSRF token, use the API.
First CVE: Print the result of your requests. If you get 403, there is a reason for it.
Second CVE (privesc): Basic enumeration, it stands out pretty quick. If you use vim set ff=unix.
Noobs question, but…when using Burp, i can see which page gives us a “403”. But how do you ask the pyhon script to print the result of each command on screen?
heey everyone i am completely new at this and i dont have a cleu how to start. i know you have to start with a scan and i used nmap and dirbuster but somhow i get nothing from it. can someone PM mee to get me started how to get started.
@danKawan said:
Alright, rooted ! this is my first box
To get the right page’
The common thing that did by the teacher for their student during exam. A right script to enumerate the page will help you.
The user’
this is easy’ this is very common actually you don’t need to brute force it. but if you experience difficulty there’s a right wordlists.
The shell’
CVE > but it will not work easily you need to modify it to get the shell
Privilege Escalation’
CVE > Remember ippsec’s website will give you help, just do a good enumeration after you get in to the shell, if you found an interesting thing based on your enumeration just use it to search term.
Well I’m done with box but I would like to know how did you get usr/cred using api method . PM .
Hi Guys, someone could help me. I had a match for the creds but it no longer working so I think I’m on the wrong way. I will explain in PM my process and where I am to not give to more information Thx!
Ok, can someone explain me something (feel free to PM)?
when using burp, i can see where the request is failling. I used different “words” or commands to see if the request is ok (200) or refused (403). How can i know what is forbidden or not? Or at least is there a way to get more information on the error/reject from burp or with any other tool?
Foothold: Recon all you can and try all the verbs. Common file/directory lists will find what you need. Then make educated guesses about passwords. You don’t need to automate the bruteforce, I did it manually. You’ll need an exploit to gain the initial foothold, but it won’t work out of the box - this is intentional. Read the exploit code and understand it, then you can do it manually! Playing with the WAF for this one was interesting, and a well placed challenge - it makes it realistic! thanks @askar
User: you can skip this part if you want, although as @menessim said, so that motivated me to go foothold → user → root . It is a nice experience! Again, look for stuff on disk!
Root: You will need an exploit for this and it’s unrelated to anything beforehand. Standard root enumeration should find what you look for, and the name is weirdly informative.
Thanks for the box @askar and thanks to @menessim for the tips!
Hyo, could anyone help? I can get to c***** alright, and I have the creds, but I can’t seem to get code execution - for some reason my nc command won’t work properly? Could anyone help out a noob here? Thanks!
Hello guys i’m stuck, i try bruteforce using the default password on the pannel of /c******, it’s pretty long (4 hours) i do not know if i’m using the right method. i’ve written a script which used an exploit linked to the vulnerabilities of the pannel. thank you all. don’t hesitate to PM me!
I found out from the docs that if i want to develop 3-party software i can just use the application programming interface to get the details i want… And then i found out there is one huge difference in using that for something.
On one hand I think it’s being unfairly bashed as CTFy and unrealistic. Sure, the VERB caveat is not the most prevalent vulnerability in the wild. But WAFs breaking exploits and scripts, unreliable PoCs and the neccesity to enum a lot is. It makes the experience more realistic than most machines I’ve done on HTB.
On the other hand: holy ■■■■ was it frustrating. Almost every step needed some massaging which wasn’t obvious at all. And then are the lags. This machine is so slow. Testing exploits just takes ages. And there are the restarts…
Anyway to the tips:
Foothold
Enum a lot
Don’t fall for rabbit holes
VERBS matter
If you write a script for password bruteforcing don’t be like me and don’t send passwords with endlines… facepalm
When you’re in don’t bother with running ready made exploits
Just read them and do things by hand
Remember about WAF, tweak your requests
Root
Standard enumeration should reveal quite obvious route
Very OSCP-like (I’m pretty sure i did excactly this on one OSCP machine but don’t take my word for it)
Again, don’t run PoC script blindly. Read it. Understand it. Exploit by hand. Dance your root dance