Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don't seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don't have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc...?
Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don't seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don't have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc...?
You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them
EDIT: Slow down the queries to get a full list of Domain users... I was greping my script and did not notice the 403s... User owned!
Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don't seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don't have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc...?
You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them
Yes. This is where I am right now. I got new domain users but the cracked passwords are not valid to them.
I tried to login with them into other services and to mutate them based on frequently used rulesets. But nothing :-(
I thought these are just default passwords which have been changed by the users and this is the reasony why they are not valid.
I also thought that somehow I should reset the users as these are their default passwords but I could not find a way so far to perform this.
Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .
For the initial users yes i can give a good article which can help for the overall exploit .
But finding the real user was insane and beautiful : )
I struggled so much but when i found it was super proud of me . Was so so cool ...
Now onto root .....Lets see if i will struggle again most probably yes : )
The path to user was one of the most awesome ones I have seen among the machines published.
Thanks @egre55 and @MinatoTW for creating the amazing challenge.
Stuck on root now for 2-3 days, went deep into 2 possible scenario's but couldn't quite get them working.
If anyone is willing to provide me a small nudge, I would highly appreciate it
No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )
also for that user you need to go back and search again
This has been a very hard box for me. Feeling pretty hard-stuck as I finally got nudges to get me close to finding certain types of accounts, but the responses I'm getting back are not being encoded/decoded cleanly. Not sure how to handle.
Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .
For the initial users yes i can give a good article which can help for the overall exploit .
But finding the real user was insane and beautiful : )
I struggled so much but when i found it was super proud of me . Was so so cool ...
Now onto root .....Lets see if i will struggle again most probably yes : )
May I ask someone a couple of questions regarding this box?
I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn't lead anywhere, but that could be my lack of knowledge about these systems.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I've tried tweaking the tamper script but still failing hard.
I may need to give up on this and find the reading material @MariaB hinted at.
I don't need hints yet, just ranting more than anything else
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I've tried tweaking the tamper script but still failing hard.
I may need to give up on this and find the reading material @MariaB hinted at.
I don't need hints yet, just ranting more than anything else
I doubt that the typical automation tools will get you there (even with according tamper scripts). I'd rather recommend writing a small script to exploit it. And then search for/find said reading material
May I ask someone a couple of questions regarding this box?
I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn't lead anywhere, but that could be my lack of knowledge about these systems.
I'm in the same boat... I think I see that path to root this box, but must be missing a piece to this puzzle.
Comments
Type your comment> @init5 said:
Same point, been stuck for hours. A nudge would be welcome
Type your comment> @syn4ps said:
Same here
I feel stupid, but I just can't get past the WAF. A nudge would be greatly appreciated
Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don't seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don't have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc...?
Type your comment> @moszkva said:
You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them
EDIT: Slow down the queries to get a full list of Domain users... I was greping my script and did not notice the 403s... User owned!
Type your comment> @syn4ps said:
Yes. This is where I am right now. I got new domain users but the cracked passwords are not valid to them.
I tried to login with them into other services and to mutate them based on frequently used rulesets. But nothing :-(
I thought these are just default passwords which have been changed by the users and this is the reasony why they are not valid.
I also thought that somehow I should reset the users as these are their default passwords but I could not find a way so far to perform this.
just got the user flag. the cred is still valid, so keep try harder
onto root now
Spoiler Removed
I'm stuck trying to crack the hashes, could anyone give me a hint ?
Type your comment> @MrBlu3 said:
With the good hash function and rocks, you can crack them under 5 seconds
I just got user .
Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .
For the initial users yes i can give a good article which can help for the overall exploit .
But finding the real user was insane and beautiful : )
I struggled so much but when i found it was super proud of me . Was so so cool ...
Now onto root .....Lets see if i will struggle again
most probably yes : )
BIG THANKS @egre55 and @MinatoTW for this amazing box .
If you have trouble smelling what the Rock is cooking, you can try to Google for "hash brown analysis online". It's not what you think it is.
Write-ups | Discord - limbernie#0386
To correct myself so that i dont sound so bad b****
For the next user i can also provide reading material
ROOTED i found root way easier than initial foothold. Of course there was a bit hopping thru users here as well : )
I guess I need a nudge for root
anyone willing to throw a nugget?
The path to user was one of the most awesome ones I have seen among the machines published.
Thanks @egre55 and @MinatoTW for creating the amazing challenge.
Stuck on root now for 2-3 days, went deep into 2 possible scenario's but couldn't quite get them working.
If anyone is willing to provide me a small nudge, I would highly appreciate it
quick sanity check...got 4 unique hashes but can only crack 3 of them. Should I be able to get all 4?
No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )
@velocicat
No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )
also for that user you need to go back and search again
Finally rooted and I want to once again say:
This was the best machine I've ever done on this site, massive props to the creators!
Finally got user! On to root...Great box so far! Thanks to everyone for the nudges and the hints on the forum.
This has been a very hard box for me. Feeling pretty hard-stuck as I finally got nudges to get me close to finding certain types of accounts, but the responses I'm getting back are not being encoded/decoded cleanly. Not sure how to handle.
Type your comment> @MariaB said:
indeed, I was struggling on this part as well, but very worthed it
Type your comment> @MariaB said:
Could I request this reading material please?
May I ask someone a couple of questions regarding this box?
I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn't lead anywhere, but that could be my lack of knowledge about these systems.
@metuldann said:
Same..
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I've tried tweaking the tamper script but still failing hard.
I may need to give up on this and find the reading material @MariaB hinted at.
I don't need hints yet, just ranting more than anything else
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
@TazWake said:
I doubt that the typical automation tools will get you there (even with according tamper scripts). I'd rather recommend writing a small script to exploit it. And then search for/find said reading material
GREM | OSCE | GASF | eJPT
Type your comment> @SgtSIGSEGV said:
I'm in the same boat... I think I see that path to root this box, but must be missing a piece to this puzzle.