Wall

Rooted. A very fun box minus the brute-forcing.
Thanks @donkeysnore for the help on creds respect++;
Thanks @askar for the box, learned a lot.
Nudges service is open on my PM port, feel free to NC in :wink:

Some nice lessons learned in this one, but a frustrating box at times.

Baby steps will help, understand what is going on at every stage as this isn’t a point and shoot box.

Once I found the app everyone talks about, I re-created public exploits step by step to get access but found another way to get execution.

Similarly for root access, once I performed some basic enum I was able to find a way but it took a few manual steps and edits.

i don’t understand why in burp when i changed the string in the payload, the page says http /1.1 200 then if i want to browse to g**********s.php, it’s blank.

look to my like my issue is with this page, not the command in the payload.

any tips or advices to give me? I’m struggling like never…

@bumika said:
Type your comment> @kalagan76 said:

Type your comment> @Nt3c said:

After almost one week of trial and error i was able to bypass the waf, jesus… the most interesting is that the payload works on the script, but it doesn’t directly on the webpage :S

Without spoiler, any tips on how to by pass this f***ing WAF? I’m on it since 10 days…

You need to understand the exploit (read the original article) , and you should modify it to evade WAF. After some attempts you will notice which characters and strings you should substitute to avoid 403 responses. Use proper substitutions.

I’ve read it like 150 times and the script too. I’m back to trying to make it work manually with Burp. But like i just said, i can type a command in the payload / poller that’s will give me a “200 ok” but i’m not going farer. If i understand the script, i try to brownse to g**********s.php, but the page is blank.

Type your comment> @kalagan76 said:

@bumika said:
Type your comment> @kalagan76 said:

Type your comment> @Nt3c said:

After almost one week of trial and error i was able to bypass the waf, jesus… the most interesting is that the payload works on the script, but it doesn’t directly on the webpage :S

Without spoiler, any tips on how to by pass this f***ing WAF? I’m on it since 10 days…

You need to understand the exploit (read the original article) , and you should modify it to evade WAF. After some attempts you will notice which characters and strings you should substitute to avoid 403 responses. Use proper substitutions.

I’ve read it like 150 times and the script too. I’m back to trying to make it work manually with Burp. But like i just said, i can type a command in the payload / poller that’s will give me a “200 ok” but i’m not going farer. If i understand the script, i try to brownse to g**********s.php, but the page is blank.

I don’t know which commands did you run but you should have analyzed responses in your local proxy or in your packet capture program. Send me a PM and I will try to help you.

CVE is driving me crazy, could use some help with it.
I keep on getting an error on line 39 of the script “IndexError: list index out of range”
Then I tried to take the manual route but eventhough my payload should be correct I don’t get anything on my listener… PM’s are much appreciated

Hello, can someone direct me to the right path got confused reading the hints.
I found all the files and directories with dirb****. Where the mo********* path leads to a protected area, surely a .hta***** behind it. I think that 's the way for the user/limited user. There’s a lot of hints like VERB. According to that, I’m tempted to use brute force with a verb oriented list or to use different communication protocols like G**/P***.

The ce******* service, if pretty sure is the way to root and for this purpose us its A** to interact and use def**** *****.

Can someone confirm or redirect me to the right path, please?
Thanks in advance

rooted :))
getting initial shell took time but when you’re in
5 mins. to root :))

root@Wall:/# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data),6000(centreon)

Rooted!
It’s been a bit frustrating and annoying honestly.

Hey guys, any hints for the first access? I wrote a script to bruteforce c****** API, but still not finding the password.

Rooted the box. thanks @donkeysnore for help.
DM me if you want help on the box

Such a nice box nudge me for any help.

Spoiler Removed

Hey,
Can Someone give me a clue about login credentials of c******* page.

Hi i need some help on the brute force of the credentials. Not very sure on what parameter to put.

Hey!

I’ve been banging my head against a wall (■■■■) for what feels like forever now. I managed to get into C******* with little to no problems, and I’m using the CVE script to try to get RCE working. I’ve modified it to show more info about the requests and responses and everything I try seems to land me with a 403. I know it has to do with some sort of character/word blacklist but it’s completely eluding me at this point.

Would someone be willing to DM me to help me understand this better?
Thank you!

same situation as @110Percent . I am starting to think my creds are not correct… in fact, i’ve notices that despite changing usernames, there is 1 password that always gives me the same response… help!

Well this is quite a headache. Almost cracked the screen getting root. Got the root.txt and user.txt but the two flags (1…7, f…6) are not accepted. Back to the drawing board I recon…

Edit. Nvm. they are now. Cool box.

Hi All, I can manage to get 2 types of shells on the box but my listener isn’t outputting anything. Can anyone help with a nudge in the right direction?

edit Nevermind i’m in.

Type your comment> @D4yz said:

same situation as @110Percent . I am starting to think my creds are not correct… in fact, i’ve notices that despite changing usernames, there is 1 password that always gives me the same response… help!

I’m certain my creds are correct, as I get 200s when I try to use commands that aren’t blacklisted by whatever’s getting in my way. I’ll pound away at it some more, but I’m still scratching my head trying to figure out how I can circumvent it.