Official Blunder Discussion

This is probably a stupid question, but this is my first real box:
I managed to upload a p0wnyshell to the server and I figured out the user pwd, but I have no idea how to continue.

I can’t su because I don’t have a tty shell (and upgrading to a tty shell doesn’t work)
I have tried to create a reverse shell that connects to my Raspberry Pi via python, bash, PHP etc. but nothing happens. It seems like I can’t connect to anything.

And, as I said, stuff like sudo or su doesn’t work with my p0wny shell

Type your comment> @Spunnring said:

This is probably a stupid question, but this is my first real box:
I managed to upload a p0wnyshell to the server and I figured out the user pwd, but I have no idea how to continue.

I can’t su because I don’t have a tty shell (and upgrading to a tty shell doesn’t work)
I have tried to create a reverse shell that connects to my Raspberry Pi via python, bash, PHP etc. but nothing happens. It seems like I can’t connect to anything.

And, as I said, stuff like sudo or su doesn’t work with my p0wny shell

I think this will help you: Upgrading Simple Shells to Fully Interactive TTYs - ropnop blog


@dux800 Tty doesn’t really work with p0wnyshell I guess, I’ve tried most of those commands


Edit

I solved my problem, I tried to connect to my external IP address instead of my VPN IP address. That makes sense, but it took me hours to figure that out. Now I have my tty reverse python shell

Having trouble with initial foothold at login page. Can someone nudge me?

A lot twists here and there. but finally rooted.
Intial foothold is a pain, user seems a bit unrealistic to me.
rooting was a piece of cake due to a very uncommon config/bug mix.

Would love to talk with someone regarding this box - stuck on getting the initial foothold

Type your comment> @Raybz said:

Would love to talk with someone regarding this box - stuck on getting the initial foothold

Enumeration is the key for foothold. Do with some extensions. Google “how to generate custom wordlist from a website?” .
Good luck ?

Rooted, very easy but fun box… Thanks a lot @egotisticalSW

@gunroot said:
Enumeration is the key for foothold. Do with some extensions. Google “how to generate custom wordlist from a website?” .

I’ve got the wordlist down, but cannot get a working syntax with h**** to be successful, and not sure if I should try to find another tool, or if I just need to learn this one better

Found the foothold user pretty quickly. Made my list OK (it turns out it did include the correct pw). There is some code I adapted to find the right password, but it didn’t work (need to understand why at some point). After several hours of scratching around I entered the correct password manually as it stood out to me.
From there getting user and root were pretty quick, but learnt some good stuff along the way. Thanks to @egotisticalSW for the fun box!
Feel free to reach out if you need a nudge.

Ok. I’ve been working on this box since early yesterday afternoon. I believe I have located the user pass, but having difficulty with the username. Can someone offer a nudge?

Also, I think my fuzz syntax may have an issue as I keep getting Fatal exception: FUZZ words and number of payloads do not match!

my code:
wfuzz -c -z file,users.txt -z file,pass.txt http://10.10.10.191:80/FUZZ

Thanks in advance!

@tripwire86 said:

Thanks in advance!
Your wfuzz syntax is broken. -z isn’t for a list of usernames and you’ve used it twice. You haven’t given it a wordlist to FUZZ with.

For example, if you were looking for image files you might use:

-w wordlist -u http://example.com/FUZZ.FUZ2Z -z list,gif-jpg

You also want to make sure you are eliminating some messages or you’ll get an insane amount of responses.

Hi first post noob here.

I’ve found a hash for h***. I can’t seem to crack it with john or hashcat. They just finish immediately. Should I be using a non standard wordlist?

Type your comment> @thewetbandit said:

I’ve found a hash for h***. I can’t seem to crack it with john or hashcat. They just finish immediately. Should I be using a non standard wordlist?

Hey. I assume that you got the hash from appropriate version of bludit from the initial shell.

Once you got the hash, i suggest you to analyze the type of hashing used with the below link.

Then use John or Hashcat to perform cracking based on the hash format you got from the above link.
John/Hashcat will crack it against rockyou.txt.
You can get the rockyou.txt file in here https://github.com/finnfassnacht/rockyou.txt

If not worked out, then you can use the below link to crack the hash without mentioning the has format.
(**Note this link will work only for very commonly used passwords.)

Hope this will help you out.
:wink: Good luck.

Hi,

I have a problem with msf. After putting in all data also with lhost i get this error:

[-] Exploit failed: An exploitation error occurred.
[*] Exploit completed, but no session was created.

What can i do wrong ?

I’m having the same issue as torcher15. I’ve tried to update kali and metasploit and still getting the same thing.

[-] Exploit failed: An exploitation error occurred.
[*] Exploit completed, but no session was created.

Type your comment> @Unemployment said:

I’m having the same issue as torcher15. I’ve tried to update kali and metasploit and still getting the same thing.

[-] Exploit failed: An exploitation error occurred.
[*] Exploit completed, but no session was created.

For both of you. Try to alter the payload based on exploitation nature. The default module need some tweaks to work perfectly. But there is also a manual way to exploit.
:smile: Good luck

@gunroot I tried to do the manual way with the script, but was running into errors on that as well. I’ll do some digging to figure out what I’m missing.

Definitely enjoyed this box much more than tabby. User was pretty cool and root was very straight forward! Nice job :slight_smile:

Need some help with hashcat. PM me pls.