Shocker

Here it is: dirb http://10.10.10.56 /usr/share/wordlists/dirb/big.txt -x /usr/share/wordlists/dirb/extensions_common.txt

Somehow embarrassing to ask for help for such a simple machine. Didn’t have such problems with other machines.

This will eventually find what you need. But it’s not very smart. Try to think what you are looking for. Maybe you have to search in a specific folder for specific files inside that folder.

From the box name, you have some idea of what may be relative to this box. Think about directories that may be exploitable for this box and start there. And think about file types that usually work in that directory. And think ‘old skool’. There were web applications before php and asp!

@alamot said:
This will eventually find what you need. But it’s not very smart. Try to think what you are looking for. Maybe you have to search in a specific folder for specific files inside that folder.

Yep, I’m totally aware of this non-smart scan. It was my last chance after some probable smarter scans. An no, it did not find anything specific (besides some 403 dirs). I’ll try to be smart again…

Never mind…did not think of THIS extension. Furthermore: a non-smart scan probably is not reliable. The extension was included in my non-smart scan for whatever reason, it didn’t find what I found a few seconds ago. It’s magic (or reset).

I have limit shell, any hint ?

@S4ck said:
I have limit shell, any hint ?

look for the ways to spawn the shell and priv esc without exploit. This is one method. There are other ways too. :wink:

@S4ck said:
I have limit shell, any hint ?

Removed Spoiler

got it ! , thanks a lot

Unable to find the entry point. Can anyone help to reach the entry point? Tried all possible dir enum tools but no luck.

Don’t focus so much on the tool as the extension you are searching for :wink:

I almost tried all the wordlists looking for the “ext” in “ext-bin” , but dirb common.txt and big.txt seems to show nothing… Any hints please?

@psyberlupus said:
I almost tried all the wordlists looking for the “ext” in “ext-bin” , but dirb common.txt and big.txt seems to show nothing… Any hints please?

So maybe the “ext” that you are thinking is the correct “ext” is, in fact, not the correct “ext”? What if it’s some other “ext” that’s frequently used in an environment such as this?

Happy Hacking. :slight_smile:

Thanks , I looked into other extensions, and got there eventually. :slight_smile:

@likwidsec said:

@psyberlupus said:
I almost tried all the wordlists looking for the “ext” in “ext-bin” , but dirb common.txt and big.txt seems to show nothing… Any hints please?

So maybe the “ext” that you are thinking is the correct “ext” is, in fact, not the correct “ext”? What if it’s some other “ext” that’s frequently used in an environment such as this?

Happy Hacking. :slight_smile:

i dont seem to understand this hint … any other

Hey Guys… Please any hint to got priv in this machine… I’m getting fucking crazy!!! 5 days in this hard mission

@raphaelmota said:
Hey Guys… Please any hint to got priv in this machine… I’m getting fucking crazy!!! 5 days in this hard mission

just use basic enumeration of linux…or run linuenum.sh script …u ll find a way of root…

This is driving me mad too. So far i’ve been searching loads of extentions and folders. I think i’m getting somewhere with a shell file i found but i do not know what to do with it. I have run a script that sees this as a possible weakness but fails when trying to shock it? Please guys, any pointers? It feels like I have tried everything!

@elvskerm said:
This is driving me mad too. So far i’ve been searching loads of extentions and folders. I think i’m getting somewhere with a shell file i found but i do not know what to do with it. I have run a script that sees this as a possible weakness but fails when trying to shock it? Please guys, any pointers? It feels like I have tried everything!

There is a tool that resembles the name of the box that proves to be very useful for this.

thanks… i will try and explain where about I am now. I believe I am looking in the right directory, probably looking at the right file as my entry point. I’ve tried shocking with a tool and it find an exploit but fails. I have also been following some info in researching, I managed to send some remote code by changing a header. I managed to pull a list of user accounts and their directory (not sure what to do with this info) - i uncovered a new user account. Am I on the right path or way off? What now - Brute force the found user account? I seem to be going around in circles! Thanks guys!