Wall

Hello guys i’m stuck, i try bruteforce using the default password on the pannel of /c******, it’s pretty long (4 hours) i do not know if i’m using the right method. i’ve written a script which used an exploit linked to the vulnerabilities of the pannel. thank you all. don’t hesitate to PM me!

I found out from the docs that if i want to develop 3-party software i can just use the application programming interface to get the details i want… And then i found out there is one huge difference in using that for something.

@cane Try looking for how to bypass the waf…

I am just lost at this point. I have found /c******* and /c******* /a** but haven’t been able to find usable credentials. Can anyone assist ?

@mewt did you find the documentation on /c******* ??

So, finally rooted.

I have very mixed feelings on the machine

On one hand I think it’s being unfairly bashed as CTFy and unrealistic. Sure, the VERB caveat is not the most prevalent vulnerability in the wild. But WAFs breaking exploits and scripts, unreliable PoCs and the neccesity to enum a lot is. It makes the experience more realistic than most machines I’ve done on HTB.

On the other hand: holy ■■■■ was it frustrating. Almost every step needed some massaging which wasn’t obvious at all. And then are the lags. This machine is so slow. Testing exploits just takes ages. And there are the restarts…

Anyway to the tips:

  • Foothold

  • Enum a lot

  • Don’t fall for rabbit holes

  • VERBS matter

  • If you write a script for password bruteforcing don’t be like me and don’t send passwords with endlines… facepalm

  • When you’re in don’t bother with running ready made exploits

  • Just read them and do things by hand

  • Remember about WAF, tweak your requests

  • Root

  • Standard enumeration should reveal quite obvious route

  • Very OSCP-like (I’m pretty sure i did excactly this on one OSCP machine but don’t take my word for it)

  • Again, don’t run PoC script blindly. Read it. Understand it. Exploit by hand. Dance your root dance

As always: PM me for help if stuck :slight_smile:

finaly back to first shell trough manual RCE.
still don’t understand how the exp stopt working… but well
now on to root

Got there in the end. Initial foothold was reasonably straight forward, but getting reverse shell was a real pain.
I’d actually figured how to do it a while ago but thought it wasn’t working. I think a large number of my issues were down to people constantly resetting the box and undoing what I’d put in place sending me of on tangents and down Rabbit holes but was very satisfying when it finally worked using a method I’d tried ages ago.

Once I got a reverse shell I briefly went down another rabbit hole, trying the wrong priv esc route (which didn’t work) but quickly found the correct one. Even in that 30 mins or so once I got a shell though, I had the box rebooted 3 times on me dropping the shell and meaning I had to regain my reverse shell each time.
Very frustrating!

rooted finaly!

I am stuck after getting initial shell with www-data. Can anyone please DM me with final CVE help.
Thanks

I figured out the path from w*-d* to root, but I don’t see the intended path to a regular user. Can someone PM?

@stoffern said:

@mewt did you find the documentation on /c******* ??

The product documentation ? Yes, I tried default credentials which didnt work and also looked at the A** documentation to check how to auth with no luck…

Can anyone post a help about the modification of the cve?

@mewt Try using software like w**** againt the a** with the user you found.

Stuck with shell and w*-d* user, can someone please DM me any hint?

ROOTED finally!

CVE for c******* isn’t working anymore, can anyone PM me telling where to get the p****r token?

Edit: never mind got a shell.

Rooted.
pm if you need a nudge

You don’t have permission to access /c*******/main.***.php on this server.

I got this error when exploiting the machine
Any hint

Type your comment> @ghost5egy said:

You don’t have permission to access /c*******/main.***.php on this server.

I got this error when exploiting the machine
Any hint

you probably need to login first to see this page.