Cache

I’m kinda stuck, by reading here and with ms* i found a h**.b v*h but i cant access it from my browser, can someone give me a nudge?

Nvm, im stupid

Stuck in the sql injection… found some tables that seem intresting (u****_s*****) but the tool can’t dump data from it… is it normal?

Never mind… session had expired

Rooted. I’d never interacted with the service before. Definitely and interesting way to pivot. Name of the box matters.

Thank you @ASHacker for the box!

Feel free to DM for a nudge!

id appreciate a nudge. I have rce on e** app what should I be looking for next?

Hi, I saw the exploit author YouTube video, tried, but I fail. Then saw a exploit from the cms and it had many exploit injection, tried but I am always landing back to login page. Am I missing something?

This is a really fun box, despite being stuck on the foothold for 3 days.

Foothold: there’s another hidden service somewhere.
User part 1: you need to get a flu jab.
User part 2: look in the cache and you shall find your treasure.
Root: ride on the blue whale and run away.

DM for additional nudges.

Ah. rooted.

Nice box. Learnt a few new attackvectors/tecniques from this one.

PM if you need nudge for this one.

Yey! I rooted it, and even manage to extract tables and all info myself manually, fun box frustrating because of initail foothold if you like me with little to zero experience in this stuff.

Finally rooted the machine
PM, if you need help

Can someone help me…
How to find their is another host H**.h**
I tried nslookup, nbtscan, dnsenum but didn’t get anything.

@GHOSTontheWire said:

Can someone help me…
How to find their is another host H**.h**
I tried nslookup, nbtscan, dnsenum but didn’t get anything.

In general there are a couple of fuzzing tools which can do this quite effectively.

Not sure you need it here.

@TazWake
Then how to discover other host.

@GHOSTontheWire said:

@TazWake
Then how to discover other host.

You are 100% correct and it was entirely my mistake. I’d confused two boxes. Sorry for the confusion.

Custom wordlists are a really good idea.

@TazWake
No problem.
I am always confused which wordlist i should use…
So i merge directory-list-2.3-medium.txt, common.txt, big.txt

Type your comment> @TazWake said:

@gotw said:

(Quote)
You are 100% correct and it was entirely my mistake. I’d confused two boxes. Sorry for the confusion.

Custom wordlists are a really good idea.

But for host discovery why we need fuzzing.

@GHOSTontheWire said:

@TazWake
No problem.
I am always confused which wordlist i should use…
So i merge directory-list-2.3-medium.txt, common.txt, big.txt

Trial and error. One frustration with HTB is the fact that you often have to try dozens and never know if you’ve got something wrong or just used the wrong wordlist.

@GHOSTontheWire said:

But for host discovery why we need fuzzing.

With CTFs there are some technical differences than in the real world - for example, DNS queries dont have the same results and you cant lookup an IP to do a reverse DNS and find all the servers it hosts. This means you need to do some slightly artificial fuzzing to find out how servers respond to various requests.

@TazWake
Yes here we work on particular ip so hostname lookup is not possible.
But on WORLD WIDE WEB it is possible.

Hi there! Got root on this machine but it is giving me wrong flag… someone know why?

@srsamuka said:
Hi there! Got root on this machine but it is giving me wrong flag… someone know why?

Nevermind, I was puuting the right flag on the wrong machine… xD