Wall

Never mind got a shell thanks to the web apps working now on privesc :slight_smile:

Rooted !

User was hard for me (I succeeded with and without the exploit but it was haaard)
PM me if you’re stuck I’ll be happy to help you.

Root is so easy it takes 5 min max.

Alright, rooted ! this is my first box :smiley:

To get the right page’

  1. The common thing that did by the teacher for their student during exam. A right script to enumerate the page will help you.

The user’

  1. this is easy’ this is very common actually you don’t need to brute force it. but if you experience difficulty there’s a right wordlists.

The shell’

  1. CVE > but it will not work easily you need to modify it to get the shell

Privilege Escalation’

  1. CVE > Remember ippsec’s website will give you help, just do a good enumeration after you get in to the shell, if you found an interesting thing based on your enumeration just use it to search term.

Thanks to @Kaligero and @GetGetGetGet

Type your comment> @anguzmar said:

Man that was painful, took me ages to get the first shell to work, and then the machine was crashing every few minutes so I had to redo the process over and over again.

After getting shell, the exploit to get root wasn’t working either and was throwing a very obscure error. Turns out the issue has to do with leftovers from windows.

A few pointers:

  • Forget the CSRF token, use the API.
  • First CVE: Print the result of your requests. If you get 403, there is a reason for it.
  • Second CVE (privesc): Basic enumeration, it stands out pretty quick. If you use vim set ff=unix.

Noobs question, but…when using Burp, i can see which page gives us a “403”. But how do you ask the pyhon script to print the result of each command on screen?

Finally after a long working , rooted the box .

Thanks to you guys :
@jrgdiaz
@r0xas
@stoffern
@beorn

Regards

heey everyone i am completely new at this and i dont have a cleu how to start. i know you have to start with a scan and i used nmap and dirbuster but somhow i get nothing from it. can someone PM mee to get me started how to get started.

@danKawan said:
Alright, rooted ! this is my first box :smiley:

To get the right page’

  1. The common thing that did by the teacher for their student during exam. A right script to enumerate the page will help you.

The user’

  1. this is easy’ this is very common actually you don’t need to brute force it. but if you experience difficulty there’s a right wordlists.

The shell’

  1. CVE > but it will not work easily you need to modify it to get the shell

Privilege Escalation’

  1. CVE > Remember ippsec’s website will give you help, just do a good enumeration after you get in to the shell, if you found an interesting thing based on your enumeration just use it to search term.

Well I’m done with box but I would like to know how did you get usr/cred using api method . PM .

Hi Guys, someone could help me. I had a match for the creds but it no longer working so I think I’m on the wrong way. I will explain in PM my process and where I am to not give to more information :slight_smile: Thx!

Ok, can someone explain me something (feel free to PM)?

when using burp, i can see where the request is failling. I used different “words” or commands to see if the request is ok (200) or refused (403). How can i know what is forbidden or not? Or at least is there a way to get more information on the error/reject from burp or with any other tool?

Rooted this box last night.

Foothold: Recon all you can and try all the verbs. Common file/directory lists will find what you need. Then make educated guesses about passwords. You don’t need to automate the bruteforce, I did it manually. You’ll need an exploit to gain the initial foothold, but it won’t work out of the box - this is intentional. Read the exploit code and understand it, then you can do it manually! Playing with the WAF for this one was interesting, and a well placed challenge - it makes it realistic! thanks @askar

User: you can skip this part if you want, although as @menessim said, so that motivated me to go foothold → user → root . It is a nice experience! Again, look for stuff on disk!

Root: You will need an exploit for this and it’s unrelated to anything beforehand. Standard root enumeration should find what you look for, and the name is weirdly informative.

Thanks for the box @askar and thanks to @menessim for the tips!

Hyo, could anyone help? I can get to c***** alright, and I have the creds, but I can’t seem to get code execution - for some reason my nc command won’t work properly? Could anyone help out a noob here? Thanks!

Hello guys i’m stuck, i try bruteforce using the default password on the pannel of /c******, it’s pretty long (4 hours) i do not know if i’m using the right method. i’ve written a script which used an exploit linked to the vulnerabilities of the pannel. thank you all. don’t hesitate to PM me!

I found out from the docs that if i want to develop 3-party software i can just use the application programming interface to get the details i want… And then i found out there is one huge difference in using that for something.

@cane Try looking for how to bypass the waf…

I am just lost at this point. I have found /c******* and /c******* /a** but haven’t been able to find usable credentials. Can anyone assist ?

@mewt did you find the documentation on /c******* ??

So, finally rooted.

I have very mixed feelings on the machine

On one hand I think it’s being unfairly bashed as CTFy and unrealistic. Sure, the VERB caveat is not the most prevalent vulnerability in the wild. But WAFs breaking exploits and scripts, unreliable PoCs and the neccesity to enum a lot is. It makes the experience more realistic than most machines I’ve done on HTB.

On the other hand: holy ■■■■ was it frustrating. Almost every step needed some massaging which wasn’t obvious at all. And then are the lags. This machine is so slow. Testing exploits just takes ages. And there are the restarts…

Anyway to the tips:

  • Foothold

  • Enum a lot

  • Don’t fall for rabbit holes

  • VERBS matter

  • If you write a script for password bruteforcing don’t be like me and don’t send passwords with endlines… facepalm

  • When you’re in don’t bother with running ready made exploits

  • Just read them and do things by hand

  • Remember about WAF, tweak your requests

  • Root

  • Standard enumeration should reveal quite obvious route

  • Very OSCP-like (I’m pretty sure i did excactly this on one OSCP machine but don’t take my word for it)

  • Again, don’t run PoC script blindly. Read it. Understand it. Exploit by hand. Dance your root dance

As always: PM me for help if stuck :slight_smile:

finaly back to first shell trough manual RCE.
still don’t understand how the exp stopt working… but well
now on to root

Got there in the end. Initial foothold was reasonably straight forward, but getting reverse shell was a real pain.
I’d actually figured how to do it a while ago but thought it wasn’t working. I think a large number of my issues were down to people constantly resetting the box and undoing what I’d put in place sending me of on tangents and down Rabbit holes but was very satisfying when it finally worked using a method I’d tried ages ago.

Once I got a reverse shell I briefly went down another rabbit hole, trying the wrong priv esc route (which didn’t work) but quickly found the correct one. Even in that 30 mins or so once I got a shell though, I had the box rebooted 3 times on me dropping the shell and meaning I had to regain my reverse shell each time.
Very frustrating!

rooted finaly!