Official Academy Discussion

Type your comment> @TazWake said:

@Sc0rp10ne said:

I too am stuck on the foothold thing. I believe I found the small change I need to make I would be happy to discuss my strategy to see if I am headed in the right direction. So far none of the changes allows any new accesses. I’m sure its got to be something even more simple than what I’m attempting…

It is a small change. When you make it and it still works, you can log in to a new page with the credentials you have created.

Thanks @TazWake! Your hints worked. It was a simpler change than I even imagined. Also realized I need to spend some quality time learning gobuster. Forgot to run some features to help find the nuggets I’ve been looking for. On to the next stage \o/

Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

Foothold

When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

User 1

You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

User 2

A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
This is the best I can give without spoiling it for others

Root

If you made it to this point just gtfo here.

Thank @Dilan for narrowing my search for the second user.
PM for a nudge.

Can someone please nudge me? I’m stuck after getting reverse-shell as a www-data user, I can see ******* user.txt file but can’t read it. I don’t understand where to go further.

Type your comment> @bascoe10 said:

Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

Foothold

When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

User 1

You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

User 2

A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
This is the best I can give without spoiling it for others

Root

If you made it to this point just gtfo here.

Thank @Dilan for narrowing my search for the second user.
PM for a nudge> @bascoe10 said:
Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

Foothold

When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

User 1

You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

User 2

A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
This is the best I can give without spoiling it for others

Root

If you made it to this point just gtfo here.

Thank @Dilan for narrowing my search for the second user.
PM for a nudge.

Could you help me narrow my search please ? Stuck on User2

Rooted!
Thanks to @deepansh0xB for the nudge! I learn my lesson here.

Nice box, im done with it.

@kalkipoison said:

Can someone please nudge me? I’m stuck after getting reverse-shell as a www-data user, I can see ******* user.txt file but can’t read it. I don’t understand where to go further.

Enumerate. If you ran a tool like nikto against the site, or did a good job with dirb/dirbuster/gobuster/whatever then you should have seen some files that look interesting but you couldn’t access them.

You can look at them in the filesystem.

If you get any credentials always check for password reuse.

Rooted

I thank everyone who gave me tips, but especially to @Harbard thanks for your patience, without you it would not be possible.

I’m a beginner and it was a little complicated, I learned a lot.

Really stuck on user 2, trawling through the logs at the mo with grep and zgrep but really need direction on best things to look for, any help would be most appreciated. Enjoying box so far…

@foalma321 said:

Really stuck on user 2, trawling through the logs at the mo with grep and zgrep but really need direction on best things to look for, any help would be most appreciated. Enjoying box so far…

If you ran a tool like nikto against the site, or did a good job with dirb/dirbuster/gobuster/whatever then you should have seen some files that look interesting but you couldn’t access them.

You can look at them in the filesystem.

If you get any credentials always check for password reuse.

Type your comment> @petrostheol said:

Can someone give me a nudge? I’m enumerating for like 2 hours but still nothing.

Try a few days back to back looking at all the pages and sadly for me, I still don’t get it…this has made me feel stupid af.

@grav3m1ndbyte said:

Type your comment> @petrostheol said:

Can someone give me a nudge? I’m enumerating for like 2 hours but still nothing.

Try a few days back to back looking at all the pages and sadly for me, I still don’t get it…this has made me feel stupid af.

It depends what you have done so far, but at a high level make sure you’ve found a page which implies it has privileged access, then see if you can manipulate the way you create new things to get access.

Type your comment> @TazWake said:

@grav3m1ndbyte said:

Type your comment> @petrostheol said:

Can someone give me a nudge? I’m enumerating for like 2 hours but still nothing.

Try a few days back to back looking at all the pages and sadly for me, I still don’t get it…this has made me feel stupid af.

It depends what you have done so far, but at a high level make sure you’ve found a page which implies it has privileged access, then see if you can manipulate the way you create new things to get access.

I get it now…I completely overlooked something the other day while being feverish! smh

Wow, user2 was really needle in a haystack. I wouldn’t ever find it without a hint. I wonder if there is any method to search for things like that? Just “try harder”? :wink:

I understand the foothold, but is there a way to observe that what I’m modifying is having an effect? just wondering how much trial-and-error I should expect to perform.

a fun box! I got user2 only with a hint. For people who found it without a hint, could you please PM, explain what logic did you use to find it ?

Type your comment> @Oussmak said:

a fun box! I got user2 only with a hint. For people who found it without a hint, could you please PM, explain what logic did you use to find it ?

Any chance you could pass the hint to me… been stuck on this user switch for ages. Looking through a*****.l** for ages but dont really know what im looking for. Thanks

@routetehpacket said:
I understand the foothold, but is there a way to observe that what I’m modifying is having an effect? just wondering how much trial-and-error I should expect to perform.

have you run gobuster (or any other tool that can brute-force directories/files on a web server)? this might help tremendously :slight_smile:

if you need more specific hints send me a DM.

but please explain what you did so far and what you want to do next (only regarding this machine, of course ;))

Nice box ! I spent way too much time looking for the second user, but I learned something new there. The root part took me 5min…

If you’re stuck with the first user like I was, maybe try to take a step back and ask yourself what is the obvious thing that you are looking for (it is an easy machine so…) ? And where/when/why could that thing being entered into the system ??? You know it’s there so, try to filter out your results…

There are specific tools that you can use but the ‘standard tool’ works fine if you apply the right filters.

Please PM if you need a nudge.

Very interesting box, thanks to @egre55 and @mrb3n.

Edit – removed by user