also in the CVE exploit in general what is vhosts ?
thanks
Normally its a way of allowing a server to host multiple domain names. It means a server can host example1.com, example2.com etc and serve diferent content based on the hosts part of the HTTP request.
In some instances it is the same as the hostname you want to hit.
Finally rooted, frustrating but interesting machine and hints definitely helped me get past a couple of hurdles. Saw 1 thing that I've never seen before.
Just rooted Academy. It was a great box, IMO not an easy one. Lateral movement from user1 to user2 can take a long time. Check from which group user1 is a member of and what that group is meant for, it helps me to point to the location you have to search. Check that location and you will see an interesting directory and with Google, you can learn what you have to search for and how.
If you still need a nudge, just DM!
User1 to 2 has an easy way and hard one trolling the logs can be tedious but a popular enum script will give you what you need (latest ver)
Foothold was obvious enough for me to miss it for way too long
For user1 to user2, when I landed in the home directory, I saw a .viminfo file, and the thing everyone's looking for was in it. Thankfully for me, for some reason it didn't work so I kept working and finally got it the regular way.
But, for everyone, please, please, clean up the place before leaving, it can really ruin the fun for the others !
Anyway, good box, even though the user switch drove me insane
Anyone get user manually instead of using msf*******? please PM me if you did. Just IMHO, I would say this is not OSCP like. I rooted and did a personal write up on every box in the public network during my lab time. The OSCP boxes are more like "find the exploit" enumerate, create your payload , find root vector own box. I only seen this method in the training .pdf in the 2020 version.
I would also like to join the discussion about manually doing it after having done it with msf... I found some stuff on github but I can't seem to get it to work.
Thank you for your interest. I still can't find a way to do this manually except for removing the MSF needed part of the exploit and making it work manually. You can only use MSF once on the OSCP test. That is one of the hardest tests I have ever done. Learn how to do all of these manually if your goal is to be a professional pentester. Sometimes all you get is a cmd line with limited to no tools in a real world pentest. Learn MSF but don't depend on it.
Hi crew, I found user2 password but not really sure that is the right user that I need to get root. Also tried password variations for userX and grep for all other similar "values".
Any tips where to go from here? TNX.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Intercept every request your browser send and look at them. It is a good practice to do this everytime, so you can have a look at how the web app works. After this you should give some attention on the framework used and then use that to get inside the box. After that think how the web apps store the creds to access different services internally. Then look at where you belong, and which permissions you have. Use those permissions to find userfull info. And at the end it's simple, and in front of you. I hope this isn't spoil at all. If you need further help send me here or on discord, but first tell me what did you do.
Work hard in silence, let your success be your noise
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
So, I found the secret a**** area. Found the MSF l****** exploit and set VHOST to dev-*******-**-.*******.*** . After running the exploit, the output in Burp is a 500 UnexpectedValueException . Can anyone point me in the right direction?
So, I found the secret a**** area. Found the MSF l****** exploit and set VHOST to dev-*******-**-.*******.*** . After running the exploit, the output in Burp is a 500 UnexpectedValueException . Can anyone point me in the right direction?
Are you pushing the attack through burp rather than at the server directly via MSF?
If you are using MSF, dont forget the key matters.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
So, I found the secret a**** area. Found the MSF l****** exploit and set VHOST to dev-*******-**-.*******.*** . After running the exploit, the output in Burp is a 500 UnexpectedValueException . Can anyone point me in the right direction?
Are you pushing the attack through burp rather than at the server directly via MSF?
If you are using MSF, dont forget the key matters.
so i think i'm really stupid here. I got a shell and spent so much time almost 3 days trying to get a user flag using enumeration that everyone is talking about but really couldn't! i used linux enumeration script l*np**s.sh and it got me so many files and i almost looked into all of them with nothing! I know i'm a beginner so i think i'm missing a something fundamental here?
i found so many passwords that are default ones and tried them all on the box and mysql and ssh but no luck. something is definitely wrong with me.
if anybody is willing to help i would appreciate it.
so i think i'm really stupid here. I got a shell and spent so much time almost 3 days trying to get a user flag using enumeration that everyone is talking about but really couldn't! i used linux enumeration script l*np**s.sh and it got me so many files and i almost looked into all of them with nothing! I know i'm a beginner so i think i'm missing a something fundamental here?
i found so many passwords that are default ones and tried them all on the box and mysql and ssh but no luck. something is definitely wrong with me.
if anybody is willing to help i would appreciate it.
Most scripts wont find it because it isn't in human-readable form. In Linux lots of things get logged by auditing tools. If you can find something which captured someone else doing what you want to do, this might be useful.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I really need a push with user1 and user2. I am clueless.
Nudge plz.
In Linux lots of things get logged by auditing tools. If you can find something which captured someone else doing what you want to do, this might be useful.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Anyone having issues with the web-site?
Loads fine prior to account creation - but as soon as I logon the whole things goes to a grinding halt ...
This is on Kali - Firefox
Chromium works better but I would like to use burp-suite (which seems to be on firefox only - unless I am mistaken?)
Comments
Type your comment> @3LI said:
Check if your dirb setup was using the IP or the host/vhost for the requests.
Related to this answer from TazWake:
Finally rooted, frustrating but interesting machine and hints definitely helped me get past a couple of hurdles. Saw 1 thing that I've never seen before.
PM if you need some help.
edited -- nvm
Type your comment> @T13nn3s said:
User1 to 2 has an easy way and hard one trolling the logs can be tedious but a popular enum script will give you what you need (latest ver)
Foothold was obvious enough for me to miss it for way too long
For user1 to user2, when I landed in the home directory, I saw a .viminfo file, and the thing everyone's looking for was in it. Thankfully for me, for some reason it didn't work so I kept working and finally got it the regular way.
But, for everyone, please, please, clean up the place before leaving, it can really ruin the fun for the others !
Anyway, good box, even though the user switch drove me insane
Type your comment> @bashsupremacy said:
Thank you for your interest. I still can't find a way to do this manually except for removing the MSF needed part of the exploit and making it work manually. You can only use MSF once on the OSCP test. That is one of the hardest tests I have ever done. Learn how to do all of these manually if your goal is to be a professional pentester. Sometimes all you get is a cmd line with limited to no tools in a real world pentest. Learn MSF but don't depend on it.
Hi crew, I found user2 password but not really sure that is the right user that I need to get root. Also tried password variations for userX and grep for all other similar "values".
TNX.
Any tips where to go from here?
@AHam1lt0n , @bashsupremacy
I sent you a PM. There are several publicly available scripts that work without MSF
GREM | OSCE | GASF | eJPT
@MadTriber said:
The easiest way to find out is to become the user and see what they can do.
It depends why you think user2 is no use for you and what you are looking for with
userXfor example.Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I am stuck with users part
any hints
@khanafeer said:
If you have a shell, enumeration is key.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
rooted! nice box!
took some time to switch from user2 to user3, I was chasing the wrong user =/
thanks @TazWake.
TNX @TazWake for pushing me in the right direction. Getting a root is really simple when you have user2.
Intercept every request your browser send and look at them. It is a good practice to do this everytime, so you can have a look at how the web app works. After this you should give some attention on the framework used and then use that to get inside the box. After that think how the web apps store the creds to access different services internally. Then look at where you belong, and which permissions you have. Use those permissions to find userfull info. And at the end it's simple, and in front of you. I hope this isn't spoil at all. If you need further help send me here or on discord, but first tell me what did you do.
Work hard in silence, let your success be your noise
some one can help me root the machine?
i already have user
PM PLEASEE
@shahafkobi said:
You need another user, then the path to root presents itself to basic enum.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
So, I found the secret a**** area. Found the MSF l****** exploit and set VHOST to dev-*******-**-.*******.*** . After running the exploit, the output in Burp is a 500 UnexpectedValueException . Can anyone point me in the right direction?
@el0uid said:
Are you pushing the attack through burp rather than at the server directly via MSF?
If you are using MSF, dont forget the key matters.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Type your comment> @TazWake said:
Okay, I'm dumb LOL ... I found the key.
so i think i'm really stupid here. I got a shell and spent so much time almost 3 days trying to get a user flag using enumeration that everyone is talking about but really couldn't! i used linux enumeration script l*np**s.sh and it got me so many files and i almost looked into all of them with nothing! I know i'm a beginner so i think i'm missing a something fundamental here?
i found so many passwords that are default ones and tried them all on the box and mysql and ssh but no luck. something is definitely wrong with me.
if anybody is willing to help i would appreciate it.
I really need a push with user1 and user2. I am clueless.
Nudge plz.
@nnahnnoud said:
Most scripts wont find it because it isn't in human-readable form. In Linux lots of things get logged by auditing tools. If you can find something which captured someone else doing what you want to do, this might be useful.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
@cypher0x1 said:
In Linux lots of things get logged by auditing tools. If you can find something which captured someone else doing what you want to do, this might be useful.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Just finished the machine, it was very nice and learned a lot!
If you need some nudges write me!
Is anyone having issues with the box today? My SSH sessions and M*****ole sessions work initial by stop responding after 20 seconds.
Anyone having issues with the web-site?
Loads fine prior to account creation - but as soon as I logon the whole things goes to a grinding halt ...
This is on Kali - Firefox
Chromium works better but I would like to use burp-suite (which seems to be on firefox only - unless I am mistaken?)
Always happy to help others. 100% human
https://www.mindfueldaily.com/livewell/thank-you/
Type your comment> @acidbat said:
Burp runs as a proxy, so you just need to configure whatever browser's proxy settings to route the traffic through burp's proxy.
Unless I am misunderstanding.
Type your comment> @svenkali said:
Good point
- Thank you 
Always happy to help others. 100% human
https://www.mindfueldaily.com/livewell/thank-you/