Official Doctor Discussion

Type your comment> @mkampo said:

Hello everyone! I am stuck at D******** S********* M***********. I figured out that is susceptible to S***. I am getting a hard time creating an efficient payload that would bypass potential filters. I would be grateful for some hints, because I am missing something for sure

The results of your payload are “displayed” on a different page entirely.

I’ve got access to DSM by updating my h___s file. I’m testing out sending messages but I’m not sure if I need to exploit S__I or X__? Is anyone able to send me a nudge in the right direction? Bit of a noob

Edit: Got successful X__ injection on a____ page… what am i missing?

Landed a shell. My advice: img src r**e sl

rooted. User was relatively easy, root is also not too challenging with a bit of google for that pesky one that blocked you at the start.

Many thanks to @subtilis for his useful guidance.

I got user shell
whoami
s*****

Now I am looking for potential PE vector and I think the answer is in S*****

Rooted it! Root in comparison to initial foothold/user was fairly easy. Nice box nevertheless, I’ve learned a new attack vector from it.

id

uid=0(root) gid=0(root) groups=0(root)

RooteD~!
figuring out the technique to get foothold was tricky.

Rooted, feel free to PM me if you’re stuck but please be sure to say what you’ve done so far and get ready for ambigous hints :slight_smile:

As for nudges:
Foothold - Sometimes things can appear different when we look at them from a different direction.
User - You have something that can help you look someplace. Anything weird there?
Root - sometimes it’s good to get back to basics and to start off with a clean slate.

Definetely not an easy box, but big fun and learned a lot

As often, user is the harder part, root is very well documented, just use what already exists. For User and Root: enumerate, enumerate, enumerate very carefully

pm me if you need a hint

I was able to get to the login page but I don’t understand why it worked and really want to know before moving on. I’d appreciate if someone could PM me about that

@0xL said:

I was able to get to the login page but I don’t understand why it worked and really want to know before moving on. I’d appreciate if someone could PM me about that

It depends what you mean about why it worked.

I suspect your question is down to how HTTP works and the way the hosts header works.

Yes, I didn’t want to say too much but that little bit you just said is enough for me to go and do my own research. Thanks

Hello guys, i’m stuck on getting the user, i’ve seen that it’s par of some groupe but i got nothing from there !

could you please give me a little help ?

Thanks :slight_smile:

Update : i got it ^^

Hi, thanks everyone for the hints.
I managed to get user & root.
Foothold : very interesting way of injection
User : enumerate… there is one thing you have access to…
Root : pretty simple

hello guys, is it normal that I can only see a single page on this machine?
I tried gobuster but it can only find css, images, fonts, and js

any idea?

nevermind :slight_smile:

how to use the exploit for the root i cant use any command cause of the bash term

Type your comment> @N00p said:

how to use the exploit for the root i cant use any command cause of the bash term

never mind rooted the box

Just rooted it. Excellent box, although definitely harder than what I was expecting for an “Easy” box.

The only hint I want to add to the many already given is that there are variations of the “quiet” exploit and not all work.

Beginner here working on foothold. I’ve managed to upload a test script and track down the output. I assume I need to use n* to launch a s**** but I have no idea how to figure out what payload to use or how to format it. Any good sources to learn this?

@Vomocer said:

Beginner here working on foothold. I’ve managed to upload a test script and track down the output. I assume I need to use n* to launch a s**** but I have no idea how to figure out what payload to use or how to format it. Any good sources to learn this?

You don’t need n*. There is a site which covers payloads for all things. Find it and have a look. One of them works really well here.

Type your comment> @LeChatP said:

GG to 2 First blood

Mate, noob here. First box. Did a few scans, got open ports. But a little Nudge Anyone ?

@SydneyJR said:

Type your comment> @LeChatP said:

GG to 2 First blood

Mate, noob here. First box. Did a few scans, got open ports. But a little Nudge Anyone ?

It depends what you are stuck with.

If you have something you can post data to, try different attacks and see what works.

If you don’t, look closely at the information you have and modify how you are requesting pages.