Official Doctor Discussion

I have been trying to find vhosts using wfuzz and vhostchecker, but no luck. All of the requests return 200, how do you guys tackle that? So far i have been filtering on line/word count. Is there a better way?

Would appreciate a nudge.

Type your comment> @tang0 said:

I have been trying to find vhosts using wfuzz and vhostchecker, but no luck. All of the requests return 200, how do you guys tackle that? So far i have been filtering on line/word count. Is there a better way?

Would appreciate a nudge.

check email

The creator of this box need a noble prize for trolling HAHA

iam stuck at login page any hints i have tried some basic s** I*******n.

Type your comment> @he110w0r1d said:

Type your comment> @tang0 said:

I have been trying to find vhosts using wfuzz and vhostchecker, but no luck. All of the requests return 200, how do you guys tackle that? So far i have been filtering on line/word count. Is there a better way?

Would appreciate a nudge.

check email

Thanks, totally missed that.

@AhadAli said:

iam stuck at login page any hints i have tried some basic s** I*******n.

It isn’t that. Its more templated.

stuck in the D***** S****** M******** using a self created user.
any nudge would be appreciated. tried s** mp for basic s** I******n too.

Type your comment> @AhadAli said:

iam stuck at login page any hints i have tried some basic s** I*******n.

S** Injection is so 2009

Type your comment> @LMAY75 said:

Spoiler Removed

■■■■ apparently my post root analysis gave away too much, I thought it was pretty vague but hey who knows.

Just want to reiterate that if anyone needs a hint they should feel free to DM me, this was more challenging than usual for an easy box.

Rooted. I agree that is not an easy one, in particular the first part.
DM me if you need a nudge.
Thanks to EgotisticalSW for this nice box.

Any hints for r00t ? I take it involves the high port and dash L ? Cant seem to get dash L to work though

Type your comment> @n3wb1en3w said:

Any hints for r00t ? I take it involves the high port and dash L ? Cant seem to get dash L to work though

DM sent

Type your comment> @wazKoo said:

Wondering how people discovered the 1st exploit S**I on that page. Since it was kinda blind not knowing how to trigger and check the result

Yeah, I agree, that was a bit obtuse. I figured it out pretty much from luck and viewing source because I found it odd that this page existed, but nothing was there. It was kind of sticking out like a sore thumb.

whoami

root

id

uid=1002() gid=1002() euid=0(root) groups=1002(*****)

No easy box at all. Foothold and user were just insane, would never have got those without helpful nudges from the good people of the forum. Root was a piece of cake though, assuming I went with the normal path.

Rooted. thanks to @ArtemisFY for helping me in sorting out where i was getting lost.
IMHO, there’s a misconception on the classification easy-medium-hard-insane which is not really related to the true “stiffness” of the box.
hints:
foothold: once you find it, be kind and leave a message asking what you want.
user 1: your favourite enum scripts will tell everything.
root: google the high one.

Edit:
wanted to add that this box taught me a lot more than many other “hard” boxes, so thanks @egotisticalSW

Thank you so much @bertalting and @Smyrie for the nudges on the initial foothold. I guess I was a little cocky because of the “easy” label of this box. Turns out, it wasn’t as hard as I was making it to be. I overlooked one small detail. The nudges helped me see what I missed.
Getting root was pretty hectic, but it all came down to google fu. It was easy enough, just a bit tedious.
All in all, this was pretty humbling for me, I came into it pretty cocky then immediately realized I am NOT Mr. Robot. But seriously, thanks @egotisticalSW for this box!

Not an easy machine for me, learned new things, sometimes boxes like this point me to great articles.

I feel like I’m somehow overcomplicating things here, I can’t get the shell to pop at all through D***** S***** M******** and the A******, anyone mind helping me figure this out?

Type your comment> @pizzapower said:

Type your comment> @wazKoo said:

Wondering how people discovered the 1st exploit S**I on that page. Since it was kinda blind not knowing how to trigger and check the result

Yeah, I agree, that was a bit obtuse. I figured it out pretty much from luck and viewing source because I found it odd that this page existed, but nothing was there. It was kind of sticking out like a sore thumb.

It’s an odd vuln for an easy box. Not even X** but a really specific offshoot.

I tried many injection into DSM login page but without success … I saw something with GZIP into HTTP, I will start doing some research about it !! could someone guide me it this is te right way !! I´m still looking for the user!!