Obscurity

Type your comment> @twypsy said:

Type your comment> @GPLO said:

Missing something here…
I found some interesting things early on with burpsuite. I then enumerated a user and 2 text files with wfuzz but can’t find the .py file.
A SMALL nudge would be appreciated.

It’s a secret directory, and under it you should find the py file you are looking for.

Use a common wordlist, no need to go with big ones.

Just in case, check you are using port 8080 and not 80.

I thought I’d done that but your comment made me realize I didn’t quite do it the right way. Focused too much on an interesting vulnerability I found early on :cry:

Rooted. Nice one @clubby789, although I believe there is an “easy” (and potentially unintended) method for root that should be patched if possible as it sorta ruined that bit for me. I’m going to go back and do it the (what I believe to be) intended way now though :slight_smile:

Thanks for the machine!

Hints:

Foothold: Fuzzing & then Source Code analysis. Look at what you can do to get RCE.

User: There are a few different ways of doing this. You have an input and an output – these two things should be enough to work backwards.

Root (Intended Method Only): Analyze the code, and check what is outputted. Keep checking… and checking… Once you do that, you’ll have everything you need.

@farbs said:

Rooted. Nice one @clubby789, although I believe there is an “easy” (and potentially unintended) method for root that should be patched if possible as it sorta ruined that bit for me.
Yeah, that’s unintended, and I’ve been told a fix is being pushed. To anyone else who used a that method to get root, I suggest you go back and try it the intended way :slight_smile:

@clubby789 said:

Yeah, that’s unintended, and I’ve been told a fix is being pushed. To anyone else who used a that method to get root, I suggest you go back and try it the intended way :slight_smile:

Having just solved it as my first machine, i honestly have no clue if i did it the right or wrong way :slight_smile:

It was probably the easy way, as the root password was a lot easier to obtain than the rest of the machine. Or i did it the right way and completely missed out on the easier way :slight_smile:

Anyway, thanks for creating it. While some comments mention it’s useless i learned something from it, so it’s certainly not useless.

I can’t wait to see a writeup of it to see if i did it the right or wrong way.

Hi, having hard times with wfuzz and stuck pls help on PM, I have proper port 8080 but even when using big dict I get nothing …

Type your comment> @VisualDudek said:

Hi, having hard times with wfuzz and stuck pls help on PM, I have proper port 8080 but even when using big dict I get nothing …

dirbuster worked for me.

PM

i’m having problems fuzzing here, anyone willing to give me a hand?

The source code is really simple to read. I know exactly which part I should exploit. I tried several times, but it did not work. Then I ran the source on my own computer. And it works. … … Still missing something here. :smiley:

Type your comment> @blaudoom said:

The source code is really simple to read. I know exactly which part I should exploit. I tried several times, but it did not work. Then I ran the source on my own computer. And it works. … … Still missing something here. :smiley:

Type your comment> @yeezybusta said:

Type your comment> @blaudoom said:

The source code is really simple to read. I know exactly which part I should exploit. I tried several times, but it did not work. Then I ran the source on my own computer. And it works. … … Still missing something here. :smiley:

HTML URL Encoding Reference

I know about url-encoding. And as I said, I am hosting the same server myself. I am Connecting to it the same way I connect to the box. Thats why I find a bit weird.

edit: reset seemed to work.

Type your comment> @yeezybusta said:

Type your comment> @blaudoom said:

The source code is really simple to read. I know exactly which part I should exploit. I tried several times, but it did not work. Then I ran the source on my own computer. And it works. … … Still missing something here. :smiley:

HTML URL Encoding Reference
This one really helped
i got a shell as w**-d*** now i think i’m a little bit stuck there
could anyone help?

I’m still stuck on enumeration… I tried dirb, dirbuster, fuzzing with zap and burp, wit different dictionary… what’s wrong? Can anybody put me on the right path? thank you

Rooted.

Initial foothold is more ctf-like,that’s why i was stuck, but other parts were very good.

Hints:

Initial foothold: After checking front page, you will know one thing, and need to know another thing. fuzz these things together. Then you will find a hole which you can inject your weapon :slight_smile:

User: Use your algorithm skills and get X from y^x=z :wink:

Root: Much more simple than user. just add the specified option one more time.

Type your comment> @jinie said:

@clubby789 said:

Yeah, that’s unintended, and I’ve been told a fix is being pushed. To anyone else who used a that method to get root, I suggest you go back and try it the intended way :slight_smile:

Having just solved it as my first machine, i honestly have no clue if i did it the right or wrong way :slight_smile:

It was probably the easy way, as the root password was a lot easier to obtain than the rest of the machine. Or i did it the right way and completely missed out on the easier way :slight_smile:

Anyway, thanks for creating it. While some comments mention it’s useless i learned something from it, so it’s certainly not useless.

I can’t wait to see a writeup of it to see if i did it the right or wrong way.

You did it the right way definitely.

The other path required taking the box out of the obscurity.

Found what I needed with wfuzz. Downloaded a copy and found the exploitable piece of code. I ran the code locally and experimented until i got the syntax right. I have 2 versions which both work locally. When I target obscurity however I get a 404 and my listener doesn’t trigger :frowning: Intended?

My problem is with m**e****s… I can’t avoid 500 error

Type your comment> @GPLO said:

Found what I needed with wfuzz. Downloaded a copy and found the exploitable piece of code. I ran the code locally and experimented until i got the syntax right. I have 2 versions which both work locally. When I target obscurity however I get a 404 and my listener doesn’t trigger :frowning: Intended?

nvm, found my problem. Don’t assume when you can check!

@clubby789 Great box! Not sure why ppl are not giving it the stars it deserve. It was easy, but I had a lot of fun.

Got user!
Going for root!