Official Blunder Discussion

@bobthebadger said:
Finally rooted…foothold was slow, took some digging and reading! to see the obvious. Getting user was a pain, not helped by me flying down a bunny tube for few hours, only to realize I was making a silly mistake.

bunny tube! haha
thank you for that

Finally Rooted. Very funny machine…

HINTS

  • Create a personalized wordlist with the information you get
  • Automated tools can help you, but be careful
  • A recent CVE can help you

PM me if you need any nudge, I like to help :smile:

Type your comment> @LordOfAgap said:

Finally i was able to root it. I really enjoy the box, it took me sometime to modify the python code to make it work. But just wondering if there is another way to get f****s password without using a bruteforce?

Hey. I didn’t write any script to brute Force pass. But I found it by just trying all the names in that custom wordlist manually (I thought I got the pass in 5-10th attempt). Lol I had luck.

I’m trying to exploit the foothold vuln. manually. May be some kind of WAF? Any hint?

EDIT: Rooted! If someone used the brute-force approach please write me in PM :slight_smile:

@0xBro said:

I’m trying to exploit the foothold vuln. manually. May be some kind of WAF? Any hint?

Google is your friend here. Search for the name of the thing you are trying to attack and ways to bypass its restrictions.

Type your comment> @retrymp3 said:

This exploit may require manual cleanup of ‘.*****’ on the target " - I am pretty sure that this wasn’t intended. I can’t advance further with this maybe reseting the box will help. Cause we dont have permissions to write on any files from foothold

Edit :leave t***** *** as default. For this to work?

Rooted. Great box. Props to @egotisticalSW.
Foothold, some zz and some cool ness.
No hints needed for user and root

Rooted.
As some wrote, many rabbit holes for the user.
Root very easy.
PD: Gracias Torre Oscura!

Rooted
Not going to say much since there is a ton of hints already in the forums.
PM me if you need a nudge

thanks for the box it was great if anyone needs nudges or help for doing the manual exploit (without msf) send me a pm

I have credentials for H**o and a meterpreter session as www, but it wont let be run su H&&o as the command isnt recognised. Anyone know how to change users in meterpreter or indeed a nudge or what to do with H&&o credentials?

@BugsBunny said:

I have credentials for Ho and a meterpreter session as www, but it wont let be run su Ho as the command isnt recognised. Anyone know how to change users in meterpreter or indeed a nudge or what to do with H**0 credentials?

Improve your shell.

Hello I need help, I have the username and password F ***, but I got stuck there; i got the cve but i need a push

Type your comment> @jesus62175 said:

Hello I need help, I have the username and password F ***, but I got stuck there; i got the cve but i need a push

There is a POC for that CVE. Google will give you if you ask correctly ?.
There is also a dedicated module written for most favorite exploitation software.

Type your comment> @gunroot said:

Type your comment> @jesus62175 said:

Hello I need help, I have the username and password F ***, but I got stuck there; i got the cve but i need a push

There is a POC for that CVE. Google will give you if you ask correctly ?.
There is also a dedicated module written for most favorite exploitation software.

but I get an error require manual cleanup of ‘.h*****’ on the target

Soooo many rabbit holes after Initial Foothold for User, I feel so dumb I strayed so far from home… lol.

Root was simple enough once u do like everyone says “back to basics”.

Rooted.
All the necessary hints have already been given here, so I won’t be adding any.
Just don’t overthink too much on the foothold, once you get the foothold, user and root is just minutes away! All the best!
Thank you @egotisticalSW for this fun box!

Rooted!! Fun box, easy but not immediate. Thank you @Zaitchev for nudges. You’ll think “I’m a fool” when you root it.
There’s my hint:

FOOTHOLD: the conventional standard ways are not the right way. Use your hands :wink: The CVEs are you’re friends.
USER: just enum everything. EVERYTHING!
ROOT: the basics of privesc. Google ALL, !

PM for hints :wink:

Type your comment> @jesus62175 said:

Type your comment> @gunroot said:

Type your comment> @jesus62175 said:

Hello I need help, I have the username and password F ***, but I got stuck there; i got the cve but i need a push

There is a POC for that CVE. Google will give you if you ask correctly ?.
There is also a dedicated module written for most favorite exploitation software.

but I get an error require manual cleanup of ‘.h*****’ on the target

I never got that particular error (I got a different one) but you might want to double check that you have the module set up properly. I suppose reading the module’s source code is enough but this thread had a hint earlier about intercepting the request with burp and making sure that it’s doing what you think it’s doing and that made my error really obvious.

Awesome box ! All the nudges given in this forum are sufficient to get you through.
If stuck, message me for nudges.
ROOTED!