This is probably a stupid question, but this is my first real box:
I managed to upload a p0wnyshell to the server and I figured out the user pwd, but I have no idea how to continue.
I can’t su because I don’t have a tty shell (and upgrading to a tty shell doesn’t work)
I have tried to create a reverse shell that connects to my Raspberry Pi via python, bash, PHP etc. but nothing happens. It seems like I can’t connect to anything.
And, as I said, stuff like sudo or su doesn’t work with my p0wny shell
This is probably a stupid question, but this is my first real box:
I managed to upload a p0wnyshell to the server and I figured out the user pwd, but I have no idea how to continue.
I can’t su because I don’t have a tty shell (and upgrading to a tty shell doesn’t work)
I have tried to create a reverse shell that connects to my Raspberry Pi via python, bash, PHP etc. but nothing happens. It seems like I can’t connect to anything.
And, as I said, stuff like sudo or su doesn’t work with my p0wny shell
@dux800 Tty doesn’t really work with p0wnyshell I guess, I’ve tried most of those commands
Edit
I solved my problem, I tried to connect to my external IP address instead of my VPN IP address. That makes sense, but it took me hours to figure that out. Now I have my tty reverse python shell
A lot twists here and there. but finally rooted.
Intial foothold is a pain, user seems a bit unrealistic to me.
rooting was a piece of cake due to a very uncommon config/bug mix.
@gunroot said:
Enumeration is the key for foothold. Do with some extensions. Google “how to generate custom wordlist from a website?” .
I’ve got the wordlist down, but cannot get a working syntax with h**** to be successful, and not sure if I should try to find another tool, or if I just need to learn this one better
Found the foothold user pretty quickly. Made my list OK (it turns out it did include the correct pw). There is some code I adapted to find the right password, but it didn’t work (need to understand why at some point). After several hours of scratching around I entered the correct password manually as it stood out to me.
From there getting user and root were pretty quick, but learnt some good stuff along the way. Thanks to @egotisticalSW for the fun box!
Feel free to reach out if you need a nudge.
Ok. I’ve been working on this box since early yesterday afternoon. I believe I have located the user pass, but having difficulty with the username. Can someone offer a nudge?
Also, I think my fuzz syntax may have an issue as I keep getting Fatal exception: FUZZ words and number of payloads do not match!
my code: wfuzz -c -z file,users.txt -z file,pass.txt http://10.10.10.191:80/FUZZ
Thanks in advance!
Your wfuzz syntax is broken. -z isn’t for a list of usernames and you’ve used it twice. You haven’t given it a wordlist to FUZZ with.
For example, if you were looking for image files you might use:
I’ve found a hash for h***. I can’t seem to crack it with john or hashcat. They just finish immediately. Should I be using a non standard wordlist?
Hey. I assume that you got the hash from appropriate version of bludit from the initial shell.
Once you got the hash, i suggest you to analyze the type of hashing used with the below link.
Then use John or Hashcat to perform cracking based on the hash format you got from the above link.
John/Hashcat will crack it against rockyou.txt.
You can get the rockyou.txt file in here https://github.com/finnfassnacht/rockyou.txt
If not worked out, then you can use the below link to crack the hash without mentioning the has format.
(**Note this link will work only for very commonly used passwords.)
I’m having the same issue as torcher15. I’ve tried to update kali and metasploit and still getting the same thing.
[-] Exploit failed: An exploitation error occurred.
[*] Exploit completed, but no session was created.
For both of you. Try to alter the payload based on exploitation nature. The default module need some tweaks to work perfectly. But there is also a manual way to exploit.
Good luck
@gunroot I tried to do the manual way with the script, but was running into errors on that as well. I’ll do some digging to figure out what I’m missing.