• heey everyone i am completely new at this and i dont have a cleu how to start. i know you have to start with a scan and i used nmap and dirbuster but somhow i get nothing from it. can someone PM mee to get me started how to get started.

  • @danKawan said:
    Alright, rooted ! this is my first box :D

    To get the right page'

    1. The common thing that did by the teacher for their student during exam. A right script to enumerate the page will help you.

    The user'

    1. this is easy' this is very common actually you don't need to brute force it. but if you experience difficulty there's a right wordlists.

    The shell'

    1. CVE > but it will not work easily you need to modify it to get the shell

    Privilege Escalation'

    1. CVE > Remember ippsec's website will give you help, just do a good enumeration after you get in to the shell, if you found an interesting thing based on your enumeration just use it to search term.

    Well I'm done with box but I would like to know how did you get usr/cred using api method . PM .

  • Hi Guys, someone could help me. I had a match for the creds but it no longer working so I think I'm on the wrong way. I will explain in PM my process and where I am to not give to more information :) Thx!

  • Ok, can someone explain me something (feel free to PM)?

    when using burp, i can see where the request is failling. I used different "words" or commands to see if the request is ok (200) or refused (403). How can i know what is forbidden or not? Or at least is there a way to get more information on the error/reject from burp or with any other tool?

  • Rooted this box last night.

    Foothold: Recon all you can and try all the verbs. Common file/directory lists will find what you need. Then make educated guesses about passwords. You don't need to automate the bruteforce, I did it manually. You'll need an exploit to gain the initial foothold, but it won't work out of the box - this is intentional. Read the exploit code and understand it, then you can do it manually! Playing with the WAF for this one was interesting, and a well placed challenge - it makes it realistic! thanks @askar

    User: you can skip this part if you want, although as @menessim said, so that motivated me to go foothold -> user -> root . It is a nice experience! Again, look for stuff on disk!

    Root: You will need an exploit for this and it's unrelated to anything beforehand. Standard root enumeration should find what you look for, and the name is weirdly informative.

    Thanks for the box @askar and thanks to @menessim for the tips!


  • Hyo, could anyone help? I can get to c***** alright, and I have the creds, but I can't seem to get code execution - for some reason my nc command won't work properly? Could anyone help out a noob here? Thanks!

  • Hello guys i'm stuck, i try bruteforce using the default password on the pannel of /c******, it's pretty long (4 hours) i do not know if i'm using the right method. i've written a script which used an exploit linked to the vulnerabilities of the pannel. thank you all. don't hesitate to PM me!

  • I found out from the docs that if i want to develop 3-party software i can just use the application programming interface to get the details i want... And then i found out there is one huge difference in using that for something.


  • @cane Try looking for how to bypass the waf...


  • I am just lost at this point. I have found /c******* and /c******* /a** but haven't been able to find usable credentials. Can anyone assist ?

  • @mewt did you find the documentation on /c******* ??


  • So, finally rooted.

    I have very mixed feelings on the machine

    On one hand I think it's being unfairly bashed as CTFy and unrealistic. Sure, the VERB caveat is not the most prevalent vulnerability in the wild. But WAFs breaking exploits and scripts, unreliable PoCs and the neccesity to enum a lot is. It makes the experience more realistic than most machines I've done on HTB.

    On the other hand: holy hell was it frustrating. Almost every step needed some massaging which wasn't obvious at all. And then are the lags. This machine is so slow. Testing exploits just takes ages. And there are the restarts...

    Anyway to the tips:

    • Foothold

      • Enum a lot
      • Don't fall for rabbit holes
      • VERBS matter
      • If you write a script for password bruteforcing don't be like me and don't send passwords with endlines... facepalm
      • When you're in don't bother with running ready made exploits
      • Just read them and do things by hand
      • Remember about WAF, tweak your requests
    • Root

      • Standard enumeration should reveal quite obvious route
      • Very OSCP-like (I'm pretty sure i did excactly this on one OSCP machine but don't take my word for it)
      • Again, don't run PoC script blindly. Read it. Understand it. Exploit by hand. Dance your root dance

    As always: PM me for help if stuck :)

  • finaly back to first shell trough manual RCE.
    still don't understand how the exp stopt working... but well
    now on to root

    If you need help with something, PM me how far you've got already, what you've tried etc.
    Discord: MadHack#6530

  • edited November 2019

    Got there in the end. Initial foothold was reasonably straight forward, but getting reverse shell was a real pain.
    I’d actually figured how to do it a while ago but thought it wasn’t working. I think a large number of my issues were down to people constantly resetting the box and undoing what I’d put in place sending me of on tangents and down Rabbit holes but was very satisfying when it finally worked using a method I’d tried ages ago.

    Once I got a reverse shell I briefly went down another rabbit hole, trying the wrong priv esc route (which didn’t work) but quickly found the correct one. Even in that 30 mins or so once I got a shell though, I had the box rebooted 3 times on me dropping the shell and meaning I had to regain my reverse shell each time.
    Very frustrating!


  • rooted finaly!

    If you need help with something, PM me how far you've got already, what you've tried etc.
    Discord: MadHack#6530

  • I am stuck after getting initial shell with www-data. Can anyone please DM me with final CVE help.

  • edited November 2019

    I figured out the path from w*-d* to root, but I don't see the intended path to a regular user. Can someone PM?

  • @stoffern said:

    @mewt did you find the documentation on /c******* ??

    The product documentation ? Yes, I tried default credentials which didnt work and also looked at the A** documentation to check how to auth with no luck..

  • Can anyone post a help about the modification of the cve?

  • @mewt Try using software like w**** againt the a** with the user you found.


  • edited November 2019

    Stuck with shell and w*-d* user, can someone please DM me any hint?

  • ROOTED finally!

  • edited November 2019

    CVE for c******* isn't working anymore, can anyone PM me telling where to get the p****r token?

    Edit: never mind got a shell.

  • Rooted.
    pm if you need a nudge

  • You don't have permission to access /c*******/main.***.php on this server.

    I got this error when exploiting the machine
    Any hint
  • Type your comment> @ghost5egy said:

    You don't have permission to access /c*******/main.***.php on this server.

    I got this error when exploiting the machine
    Any hint

    you probably need to login first to see this page.

  • Rooted. Initial shell was a BITCH. After kicking myself in the ass, user and root were simple. Just enumerate. Stick to the basics after you get that BITCH of a shell. DM me for if you need a nudge.

  • @Franna the exploit logged in before exploiting the bug
  • Finally i get the password cred so painfull part for me.
    Don't listen to those who say that the password must be in the first 50 of the list or other, the login is easy but with the basic wordlist of kali linux, you will take a long time.
    I used another list.

  • DM me if you want help

Sign In to comment.