Wall

heey everyone i am completely new at this and i dont have a cleu how to start. i know you have to start with a scan and i used nmap and dirbuster but somhow i get nothing from it. can someone PM mee to get me started how to get started.

@danKawan said:
Alright, rooted ! this is my first box :smiley:

To get the right page’

  1. The common thing that did by the teacher for their student during exam. A right script to enumerate the page will help you.

The user’

  1. this is easy’ this is very common actually you don’t need to brute force it. but if you experience difficulty there’s a right wordlists.

The shell’

  1. CVE > but it will not work easily you need to modify it to get the shell

Privilege Escalation’

  1. CVE > Remember ippsec’s website will give you help, just do a good enumeration after you get in to the shell, if you found an interesting thing based on your enumeration just use it to search term.

Well I’m done with box but I would like to know how did you get usr/cred using api method . PM .

Hi Guys, someone could help me. I had a match for the creds but it no longer working so I think I’m on the wrong way. I will explain in PM my process and where I am to not give to more information :slight_smile: Thx!

Ok, can someone explain me something (feel free to PM)?

when using burp, i can see where the request is failling. I used different “words” or commands to see if the request is ok (200) or refused (403). How can i know what is forbidden or not? Or at least is there a way to get more information on the error/reject from burp or with any other tool?

Rooted this box last night.

Foothold: Recon all you can and try all the verbs. Common file/directory lists will find what you need. Then make educated guesses about passwords. You don’t need to automate the bruteforce, I did it manually. You’ll need an exploit to gain the initial foothold, but it won’t work out of the box - this is intentional. Read the exploit code and understand it, then you can do it manually! Playing with the WAF for this one was interesting, and a well placed challenge - it makes it realistic! thanks @askar

User: you can skip this part if you want, although as @menessim said, so that motivated me to go foothold → user → root . It is a nice experience! Again, look for stuff on disk!

Root: You will need an exploit for this and it’s unrelated to anything beforehand. Standard root enumeration should find what you look for, and the name is weirdly informative.

Thanks for the box @askar and thanks to @menessim for the tips!

Hyo, could anyone help? I can get to c***** alright, and I have the creds, but I can’t seem to get code execution - for some reason my nc command won’t work properly? Could anyone help out a noob here? Thanks!

Hello guys i’m stuck, i try bruteforce using the default password on the pannel of /c******, it’s pretty long (4 hours) i do not know if i’m using the right method. i’ve written a script which used an exploit linked to the vulnerabilities of the pannel. thank you all. don’t hesitate to PM me!

I found out from the docs that if i want to develop 3-party software i can just use the application programming interface to get the details i want… And then i found out there is one huge difference in using that for something.

@cane Try looking for how to bypass the waf…

I am just lost at this point. I have found /c******* and /c******* /a** but haven’t been able to find usable credentials. Can anyone assist ?

@mewt did you find the documentation on /c******* ??

So, finally rooted.

I have very mixed feelings on the machine

On one hand I think it’s being unfairly bashed as CTFy and unrealistic. Sure, the VERB caveat is not the most prevalent vulnerability in the wild. But WAFs breaking exploits and scripts, unreliable PoCs and the neccesity to enum a lot is. It makes the experience more realistic than most machines I’ve done on HTB.

On the other hand: holy ■■■■ was it frustrating. Almost every step needed some massaging which wasn’t obvious at all. And then are the lags. This machine is so slow. Testing exploits just takes ages. And there are the restarts…

Anyway to the tips:

  • Foothold

  • Enum a lot

  • Don’t fall for rabbit holes

  • VERBS matter

  • If you write a script for password bruteforcing don’t be like me and don’t send passwords with endlines… facepalm

  • When you’re in don’t bother with running ready made exploits

  • Just read them and do things by hand

  • Remember about WAF, tweak your requests

  • Root

  • Standard enumeration should reveal quite obvious route

  • Very OSCP-like (I’m pretty sure i did excactly this on one OSCP machine but don’t take my word for it)

  • Again, don’t run PoC script blindly. Read it. Understand it. Exploit by hand. Dance your root dance

As always: PM me for help if stuck :slight_smile:

finaly back to first shell trough manual RCE.
still don’t understand how the exp stopt working… but well
now on to root

Got there in the end. Initial foothold was reasonably straight forward, but getting reverse shell was a real pain.
I’d actually figured how to do it a while ago but thought it wasn’t working. I think a large number of my issues were down to people constantly resetting the box and undoing what I’d put in place sending me of on tangents and down Rabbit holes but was very satisfying when it finally worked using a method I’d tried ages ago.

Once I got a reverse shell I briefly went down another rabbit hole, trying the wrong priv esc route (which didn’t work) but quickly found the correct one. Even in that 30 mins or so once I got a shell though, I had the box rebooted 3 times on me dropping the shell and meaning I had to regain my reverse shell each time.
Very frustrating!

rooted finaly!

I am stuck after getting initial shell with www-data. Can anyone please DM me with final CVE help.
Thanks

I figured out the path from w*-d* to root, but I don’t see the intended path to a regular user. Can someone PM?

@stoffern said:

@mewt did you find the documentation on /c******* ??

The product documentation ? Yes, I tried default credentials which didnt work and also looked at the A** documentation to check how to auth with no luck…

Can anyone post a help about the modification of the cve?

@mewt Try using software like w**** againt the a** with the user you found.