Official Blunder Discussion

@GooseSthlm said:

Hi, Im trying to exploit the vulnerability here with both the one “pre-made” and one downloaded but I get this message when using check “The target is not exploitable”. And when I try to exploit it, I get this message “Exploit failed: An exploitation error occurred.”.

What could be wrong here?

Im 99.9999% sure I filled in all params right. I checked and checked again

The messages imply something is wrong, so you need to work through everything and validate it again. I know that sounds frustrating, but the error message is telling you something isn’t right and we cant see whats on your screen.

Common issues are things like the path chosen, credentials used, payload.

If you really arent sure, try changing them one at a time. Try using known bad value to see if it changes the outcome. Etc.

Type your comment> @TazWake said:

@GooseSthlm said:

Hi, Im trying to exploit the vulnerability here with both the one “pre-made” and one downloaded but I get this message when using check “The target is not exploitable”. And when I try to exploit it, I get this message “Exploit failed: An exploitation error occurred.”.

What could be wrong here?

Im 99.9999% sure I filled in all params right. I checked and checked again

The messages imply something is wrong, so you need to work through everything and validate it again. I know that sounds frustrating, but the error message is telling you something isn’t right and we cant see whats on your screen.

Common issues are things like the path chosen, credentials used, payload.

If you really arent sure, try changing them one at a time. Try using known bad value to see if it changes the outcome. Etc.

Ill give it another try and get back here to let you know.
Gonna take a break for lunch first to get some nrg back haha

I was looking at this box again after rooting when it came out . Was anyone able to get RCE on this box without using MSF? I have been looking at the .py code and have got RCE with certain commands but not others that would provide a stable shell.

Spoiler Removed

A quick tip for root : don’t waste time with second user (s…n), first user is enough to elevate privileges.

Anyone able to DM me, I am trying the hard mode and can get 1 thing in the right place but the second thing for access is denied, but I cant see why. Have TCP dump the easy way to user and seen what is going on but, I can’t repeat manually.

Rooted! Still didn’t get my ht file in place for a manual foothold, will have to wait for the retirement.

Rooted this box a few days ago! Though it was quite a fun one. I though that some parts were a bit CTF-y, but if you have some experience with HTB boxes, nothing should be too surprising.

The thread already contains many good hints, I can basically only reiterate what was already said:

Foothold

  • Be sure to thoroughly enumerate the box and keep track of all infos you find
  • The usual password lists won’t get you far. Make your own one. There’s a cool tool that can do that for you.
  • Look up publicly known exploits - don’t use M…sp…t, from what I gather, the manual way is actually easier and it’s quite well documented

User

  • Once you’re on the box, enumerate again
  • Look up what other services are installed on the box
  • Again, usual password lists won’t get you far, but there’s a station online that can help you crack what you find in seconds

Root

  • Don’t think too far/too complicated. Don’t fall into rabbit holes.
  • Check out what you are allowed to do. That should be one of your standard steps anyway.
  • You might notice something strange… search for that online and you’re basicaly there.

If anybody needs some help, feel free to drop me a PM. Happy to help, but I’m not online a lot here at the moment :slight_smile:

Thank you for this box, taught me a lot of patience (especially initial foothold - definitely took me the longest and imo was the hardest part of this box).
This topic contains all tips needed to complete the box, here is a couple thoughts from me:
initial: some fuzzing, CVE, a custom wordlist, you got creds. I almost guessed the password but had the wrong username at first.
user: check all versions
root: super basic enum, as stated earlier - google what looks suspicious

Rooted. Nice box, everything from beginning to end is fairly easy just overthinking it might make it take longer. PM for nudges.

Rooted. Fun and easy box. Feel free to hit me up for nudges.

I was getting along pretty well, got the foothold, wrote a little python in the process. Could I get a hint getting user/root (not sure if I have ‘user’ or foothold right now, but I do have something). Tried a couple of different routes to RCE, but can’t seem to figure that out. Any help for someone new to this?

@mokrunka said:

I was getting along pretty well, got the foothold, wrote a little python in the process. Could I get a hint getting user/root (not sure if I have ‘user’ or foothold right now, but I do have something). Tried a couple of different routes to RCE, but can’t seem to figure that out. Any help for someone new to this?

If you have a shell on the box, you are probably in a “foothold” - enumerate. Look into the technology and find where it is likely to store loot. Look around and exactly where the real loot exists.

Find the loot, use it.

Then enumerate some more. Find a vuln published at the end of last year and privesc

Type your comment> @TazWake said:

@mokrunka said:

I was getting along pretty well, got the foothold, wrote a little python in the process. Could I get a hint getting user/root (not sure if I have ‘user’ or foothold right now, but I do have something). Tried a couple of different routes to RCE, but can’t seem to figure that out. Any help for someone new to this?

If you have a shell on the box, you are probably in a “foothold” - enumerate. Look into the technology and find where it is likely to store loot. Look around and exactly where the real loot exists.

Find the loot, use it.

Then enumerate some more. Find a vuln published at the end of last year and privesc

Thanks @TazWake. I have tried both the ‘manual’ way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the ‘easy’ way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of ‘.*******’ on the target.

@mokrunka said:

Thanks @TazWake. I have tried both the ‘manual’ way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the ‘easy’ way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of ‘.********’ on the target.

You should be able to get MSF to work - possibly double check the options.

Type your comment> @TazWake said:

@mokrunka said:

Thanks @TazWake. I have tried both the ‘manual’ way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the ‘easy’ way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of ‘.********’ on the target.

You should be able to get MSF to work - possibly double check the options.

Yeah, beating my head against a wall here. I’ve tried several times, and I really think I’m putting in the right options and target/host info. Using a r******.t** shell, I’m still getting an error of 'This exploit may require manual cleanup of ‘.********’ on the target. Maybe that file has been inadvertently modified somehow.

Type your comment> @Karthik0x00 said:

I have seen that many people here are using MSF module to exploit the vulnerability. You can choose that as your wish.
But many are not configuring LHOST properly. Check options before exploit.

I still had to adjust the firewall to allow access to port 4444.

@mokrunka said:

Yeah, beating my head against a wall here.

Understandable. It is important to remember exploits are never guaranteed at the best of times.

It is not unusual to have to try an MSF exploit several times before it works. But it shouldn’t be hundreds if it is ever going to work.

I’ve tried several times, and I really think I’m putting in the right options and target/host info.

Ok, but really there are only a few possible scenarios here:

  1. You are using the wrong exploit
  2. You have used the wrong options
  3. Something on the box is broken
  4. Your system is preventing the reverse connection (Firewall or other security tool/privs)

If you are confident it is number 3, reset the box. If a reset doesn’t fix the problem it is one of the others.

Using a r******.t** shell,

I hope you are using a payload with a different name to that. Something along the lines of
//r_* for example.

I’m still getting an error of 'This exploit may require manual cleanup of ‘.********’ on the target. Maybe that file has been inadvertently modified somehow.

So, the easiest thing here is to read through the MSF Ruby file for the exploit to see what it does and what that message means. It may be irrelevant to the problem if it is generated under normal circumstances and if you haven’t got the exploit to work, you don’t know what “normal” looks like here.

If you read through the source code you can get an idea for what it is trying to do. It looks like the problem might be that it can’t write the file it wants to write, which is why it cant automatically delete it.

That implies the options aren’t correct.

tl;dr - reset the box, if that doesn’t work your options are wrong.

Type your comment> @TazWake said:

@mokrunka said:

Yeah, beating my head against a wall here.

Understandable. It is important to remember exploits are never guaranteed at the best of times.

It is not unusual to have to try an MSF exploit several times before it works. But it shouldn’t be hundreds if it is ever going to work.

I’ve tried several times, and I really think I’m putting in the right options and target/host info.

Ok, but really there are only a few possible scenarios here:

  1. You are using the wrong exploit
  2. You have used the wrong options
  3. Something on the box is broken
  4. Your system is preventing the reverse connection (Firewall or other security tool/privs)

If you are confident it is number 3, reset the box. If a reset doesn’t fix the problem it is one of the others.

Using a r******.t** shell,

I hope you are using a payload with a different name to that. Something along the lines of
//r_* for example.

That was my typo - yes, the payload I’ve been using is I think the one you’re referring to there (//r_*). I’ll give it a shot again today and see how I get on. Thanks again.

Anybody else having problems with the US VPN? I’ve gotten a shell, but I keep losing connection before I can really get anything else done. This has been happening from three different internet connections.