Remote

finally rooted. had a lot of trouble with the box. but I still liked it, because I learned something new.
I think I don’t need to give hints, because there is already everything here, that you need to get this box …
on a side note: I did the root path that is (probably) not related to the box name. but still wondering how the other path with the name related software works …

@Tellico said:
I could use a tip, I’m on what seems to be a last step. Found an installed program related to machines name, exploited it’s vuln and got the password. But I’ve no idea how to use the password now. Any tips?

I didn’t do that path, but if you got the password you could probably try to look up how you do something as someone else :slight_smile:

Now, that was fun. Thank you @mrb3n for a nice, straight-forward box. Especially loved the root/administrator part :slight_smile:

Type your comment> @guanicoe said:

Type your comment> @peek said:

Type your comment> @guanicoe said:

is the 46***.py supposed to work ? It should be vulnerable looking at the version ..4 , but I get an issue loading the login page in py. am I on the wrong path?

yes it works, but read carefully the payload

I’m not reaching the payload, the python2/3 script crashes on line 54 when it looks for the value in the soup dictionary.

Can I pm someone for help to be able to share more details?

Anyone could give me a nudge. Am I on the right path with the python script. does it crash for others as well?

@theonemcp said:

@Tellico said:
I could use a tip, I’m on what seems to be a last step. Found an installed program related to machines name, exploited it’s vuln and got the password. But I’ve no idea how to use the password now. Any tips?

I didn’t do that path, but if you got the password you could probably try to look up how you do something as someone else

Thx for the nudge. You cured my serious case of overthinking solved machine :wink: Rooted

Type your comment> @guanicoe said:

Type your comment> @guanicoe said:

Type your comment> @peek said:

Type your comment> @guanicoe said:

is the 46***.py supposed to work ? It should be vulnerable looking at the version ..4 , but I get an issue loading the login page in py. am I on the wrong path?

yes it works, but read carefully the payload

I’m not reaching the payload, the python2/3 script crashes on line 54 when it looks for the value in the soup dictionary.

Can I pm someone for help to be able to share more details?

Anyone could give me a nudge. Am I on the right path with the python script. does it crash for others as well?

@guanicoe said:
Type your comment> @guanicoe said:

Type your comment> @peek said:

Type your comment> @guanicoe said:

is the 46***.py supposed to work ? It should be vulnerable looking at the version ..4 , but I get an issue loading the login page in py. am I on the wrong path?

yes it works, but read carefully the payload

I’m not reaching the payload, the python2/3 script crashes on line 54 when it looks for the value in the soup dictionary.

Can I pm someone for help to be able to share more details?

Anyone could give me a nudge. Am I on the right path with the python script. does it crash for others as well?

@guanicoe said:
Type your comment> @guanicoe said:

Type your comment> @peek said:

Type your comment> @guanicoe said:

is the 46***.py supposed to work ? It should be vulnerable looking at the version ..4 , but I get an issue loading the login page in py. am I on the wrong path?

yes it works, but read carefully the payload

I’m not reaching the payload, the python2/3 script crashes on line 54 when it looks for the value in the soup dictionary.

Can I pm someone for help to be able to share more details?

Anyone could give me a nudge. Am I on the right path with the python script. does it crash for others as well?

yeah, it happens, reset the box

how to get the root using “Remote” way ?
i got it using U ** S * * .
anyone PM me how to solve it the intended way !

@bhsec said:
how to get the root using “Remote” way ?
i got it using U ** S * * .
anyone PM me how to solve it the intended way !

Sent you a PM.

Type your comment> @peek said:

yeah, it happens, reset the box

not a working solution. Could someone pm the script they used so I can test it. (for no spoil it can be with blank logins and blank payload. ) I just want to know if the issue is me or the website.

Noob here, I am really having a good time with this, I ended up getting the creds for a user, logged in to the bo** just have no idea where to go from here.

Type your comment> @scorpion1206 said:

Noob here, I am really having a good time with this, I ended up getting the creds for a user just have no idea where to go from here.

have you tried logging in ?

have you tried logging in ?

Yep sorry should’ve stated that I logged the into bo** with a****@.**

Wild ride, that was pretty hardcore. Got user.

For that POC, really read what the payload is doing. The naming is a little funky IMO. PM if you need a hint. Props to @peek for leading me in right direction.

stuck in a weird limbo, got user pretty fast and found the uS service after 5 minutes, was able to exploit it and priv my user but can’t seem to finish the box… I’m stuck in this way for the last few hours. I’m sure it’s something stupid if someone can please PM me it is driving me crazy

edit: got root, i over complicated things but with a little help from @critlize was able to find the right way. was a good box much respect

Managed to root it. Thanks to everyone on discord that helped me through the time of happiness and despair.
For the people fighting with user flag: for some kind of reason, this exploit you probably want to use won’t work because of missing cookies. Try to change perspective and attack yourself. Watch what happens and paste what is missing with help of repeater.

Can’t figure out what to do with the credentials. Can someone help me? A small PM would be nice. Thx

So lost with what to do with the payload someone please PM me

Type your comment> @egorchel said:

Type your comment> @anuragd said:

Hi everyone. Newbie here. I managed to find the login page, and understand how to get what I need from the filesystem using the CMS. For the life of me, I cannot figure out how to access the s** file that I want. I don’t seem to be able to get anything other than a 404.
anyone willing to give me a nudge for the initial foothold?

what other ports are open on the box? could it be they may let you get it?

Finally rooted the box. Root was quite easy and I’d have gotten it 2 days ago if the machine hadn’t died. Thanks a ton for the tip @egorchel . This really helped. Learnt something new.

Type your comment> @LaszloNagy said:

Type your comment> @imag1ne said:

30 different ways, no success with PoC. Continue to crash at Viewstate. Can anyone advise? is this a py issue on my box?

Make sure you’re in a privileged account. There’s more than one you can log into with the same password

All,

Thanks for the feedback. I took a chance and just dropped a new build; good a time as any to update to Kali 2020.1. Wouldn’t you know, worked first time, including my first payload attempt. I guess I was right to suspect my system…

Error while access a particular service.

clnt_create: RPC: Unable to receive ??

I was able to access it yesterday but now I am unable to access it.
Tried restart few services etc…

Anyone else facing this issue and any fix for this issue.