Official Worker Discussion

Official discussion thread for Worker. Please do not post any spoilers or big hints.

«13456789

Comments

  • Keep up the good work and hope you all will have some fun!

  • man, this one's so hard, I can't even nmap it. must be built by ninjas!

    first blood attempt. don't think i'm there yet but the excitement of going after it will be fun i'm sure. good luck everyone

    Arrexel

  • @BINtendo I feel you there, lol. I'm gonna see about a first blood attempt myself. I'm not sure if I'll be that good yet, but it's good practice. I'm testing for OSCP this upcoming Friday, so this should be a very interesting look for me to see where I am at with the methodology.

  • machine not responding to ping?

  • edited August 15

    nmap quick scan & masscan run since 20min on VIP, that is slow. How many people try their luck on first blood today??

    EDIT: Lesson learned, if you want to be first, don't start your scan within the first 3 seconds of the box going online...

    Hack The Box

  • Ok, giving up.

    Hack The Box

  • any one who reached to auth prompt page ??? any nudges

    offs3cg33k

  • People just killing the machine with bruteforcing which is not needed at all

    OSCP

    Hack The Box

  • Yeah, kinda ridiculous. I found a way to obtain some files, and also found a URL that requires creds. But I am not exactly sure where the creds are located, if they are in the files I obtained through a certain service. Any nudges for that piece? I think I have a database too but not sure if that is where I locate the creds. (Not sure what's considered a spoiler or not, so please let me know if I am saying too much. Just PM me)

  • i found something interesting, started digging but im out of time. user blood gone. congrats it was fun.

    Arrexel

  • edited August 15

    got some files from s**s**** , two new hosts , a username , a login page and a database. Stuck here. I think there is a password somewhere but i'm not able to find anything.

  • are you guys using Kali's built in wordlists? 'coz I'm not getting any luck there

  • Hey all. I would appreciate a nudge. I found the file. I got a password. Im able to add file, then commit, but cant find a way to use the file once on the web server! Always 404, file not found! Any hint on what im missing?

  • Type your comment> @gverre said:

    Hey all. I would appreciate a nudge. I found the file. I got a password. Im able to add file, then commit, but cant find a way to use the file once on the web server! Always 404, file not found! Any hint on what im missing?

    pr, merge, build

    OSCP

    Hack The Box

  • Type your comment> @gverre said:

    Hey all. I would appreciate a nudge. I found the file. I got a password. Im able to add file, then commit, but cant find a way to use the file once on the web server! Always 404, file not found! Any hint on what im missing?

    I am really struggling to find that file , found a lot of files through svn **** but can’t find any password. Any nudge?

  • @LegendHacker said:

    @gverre said:
    Hey all. I would appreciate a nudge. I found the file. I got a password. Im able to add file, then commit, but cant find a way to use the file once on the web server! Always 404, file not found! Any hint on what im missing?

    I am really struggling to find that file , found a lot of files through svn **** but can’t find any password. Any nudge?

    You should look at the man page of the command that you are using, a little parameter may do the trick ;)

    'These violent delights have violent ends'

  • OK im gonna try, thank you so much!

  • Found the username and password, but they are not working with de****.w*.h

  • Type your comment> @D8ll0 said:

    Found the username and password, but they are not working with de****.w*.h

    Remove Burp Proxy :-)

  • That worked actually, thanks

  • I got the same problem. Got the good creds, can login in svn, but not on that dev**** page. I even reset the box. How have you resolved your issue?

  • I just turned off burp

  • edited August 16

    Ok , got the user! Lost 3 hours. If it can help some, for me, that was an userAgent Switcher extension in firefox causing the issue!

    Got root! Thx @ekenas Fun box. Some new stuff for me. It would have been pretty straight forward not having my auth issue.

  • edited August 16

    Spoiler Removed

  • damn d*****.******.*** is slow...

  • edited August 16
    Hi all, I can see that some of you have grown a few new gray hairs while waiting for responses on worker. Sorry for that, but at the same time big congrats to all of you that pushed through!

    If you find creds laying around and want to try them out make sure you only supply the base URL. In case you provide a path in the URL your login attempt might get rejected.

  • edited August 16
    Type your comment> @idomino said:
    > damn d*****.******.*** is slow...

    exactly, literally no response. how to improve that? should I switch to us server?
    nvm kinda works now.
  • edited August 16
    any hints for rce after getting initial creds?
  • edited August 16

    Done. Nice box. Box does not contain any CTF or "guessing" parts. Kudos to @ekenas for this.

    OSCP

    Hack The Box

  • edited August 16

    I found something which looked like a username: aj******o and @aj**n. Are these the creds everyone is talking about? Found this inside the R****E.txt file. These doesn't seem to work for me, any hints?

Sign In to comment.