Official Love Discussion

@cutterslim said:
Type your comment> @Doncrek said:

@cutterslim said:
I can’t seem to access this machine anymore and the Release Arena machine has changed. The ip address is now 10.10.10.239 . Does this mean I need to buy a subscription in order to continue to work on it?

you need to choose the right VPN package

I switched to a lab vpn, got a different ip address and still can’t reach 10.10.10.239. Is there a different vpn package I should be using?

yes it’s lab VPN , are you sure you’re connected to the VPN ? check ifconfig tun0 ?

@quangvo said:
Can anyone help me with the foothold ? . I’m kinda stuck

reach me out so I can give you some nudges

Type your comment> @Doncrek said:

@cutterslim said:
Type your comment> @Doncrek said:

@cutterslim said:
I can’t seem to access this machine anymore and the Release Arena machine has changed. The ip address is now 10.10.10.239 . Does this mean I need to buy a subscription in order to continue to work on it?

you need to choose the right VPN package

I switched to a lab vpn, got a different ip address and still can’t reach 10.10.10.239. Is there a different vpn package I should be using?

yes it’s lab VPN , are you sure you’re connected to the VPN ? check ifconfig tun0 ?

nevermind, i restarted kali machine, and now i can reach Love again

Finally got system!
Some of the things that should work, didn’t work sometimes.

For System: read carefully the output of your favorite enumeration script and you’ll find the misconfiguration ;). Next step us easy.

Someone was able to get system with the predefined module from the famous framework?

Finally rooted. Thks to you nudges on this page… DM if you are stuck :slight_smile:

@gullon said:
Finally got system!
Some of the things that should work, didn’t work sometimes.

For System: read carefully the output of your favorite enumeration script and you’ll find the misconfiguration ;). Next step us easy.

Someone was able to get system with the predefined module from the famous framework?

Yes, but it took me more time than without the framework.

Would greatly appreciate any help. Have been stuck on a dead end for three hours or so now, finally gave up.
I’m on the hidden URL. Can see the possibility to upload a reverse shell. I’ve tried to upload a PHP shell - no access, the code is only echoed out. Tried an EXE shell - seems to do something, but no matter what type of shell I try it always echoes some binary data with the error " This program cannot be run in DOS mode". Have tried every possible shell from the known framework and some other ones. No success.

Other than that hidden URL, there seem to be one hundred and one attack vectors, but couldn’t find anything on that. The shell upload one is my best bet so far, but can’t get it to work.

/edit: I’m dumb. The DOS mode message belongs to the EXE header. Therefore, the script simply echoes the whole EXE binary back to me. Still no idea how I would get a shell from that site though. Might be on the completely wrong path (and probably am).

Type your comment> @spaaze said:

Would greatly appreciate any help. Have been stuck on a dead end for three hours or so now, finally gave up.
I’m on the hidden URL. Can see the possibility to upload a reverse shell. I’ve tried to upload a PHP shell - no access, the code is only echoed out. Tried an EXE shell - seems to do something, but no matter what type of shell I try it always echoes some binary data with the error " This program cannot be run in DOS mode". Have tried every possible shell from the known framework and some other ones. No success.

Other than that hidden URL, there seem to be one hundred and one attack vectors, but couldn’t find anything on that. The shell upload one is my best bet so far, but can’t get it to work.

/edit: I’m dumb. The DOS mode message belongs to the EXE header. Therefore, the script simply echoes the whole EXE binary back to me. Still no idea how I would get a shell from that site though. Might be on the completely wrong path (and probably am).

I am struggling on this one aswell…

Type your comment> @chbale said:

Type your comment> @spaaze said:

(Quote)
I am struggling on this one aswell…

Have you considered trying url instead of uploading a file and see what it does… then use that to ur advantage? ?

Type your comment> @spaaze said:

Would greatly appreciate any help. Have been stuck on a dead end for three hours or so now, finally gave up.
I’m on the hidden URL. Can see the possibility to upload a reverse shell. I’ve tried to upload a PHP shell - no access, the code is only echoed out. Tried an EXE shell - seems to do something, but no matter what type of shell I try it always echoes some binary data with the error " This program cannot be run in DOS mode". Have tried every possible shell from the known framework and some other ones. No success.

Other than that hidden URL, there seem to be one hundred and one attack vectors, but couldn’t find anything on that. The shell upload one is my best bet so far, but can’t get it to work.

/edit: I’m dumb. The DOS mode message belongs to the EXE header. Therefore, the script simply echoes the whole EXE binary back to me. Still no idea how I would get a shell from that site though. Might be on the completely wrong path (and probably am).

Think “locally” about things you currently cannot see.

Finally got system…this being my first machine to learn on, I did not find it easy. I would describe easy (at least for a beginner) a machine that has less rabbit holes to run down (to limit time sinks).

User: I had a few nudges. Unsure how long I’d have spent banging my head going after the wrong thing without these nudges. Things finally clicked, but for the wrong reasons, I was able to view the server access log, and I could see what other pen testers were doing that made me think of how to get my payload over to get that 1st shell

Root: spent too many hours going yet another rabbit hole (went after exploit that requires another windows machine to mount attack). When I finally ran my enumeration script on the victim machine, it gave me a wall of text, and the misconfiguration part was near the top so I kept missing it (realized I should have redirected output to a file for easier reading). I finally got the misconfig message by stopping scroll while the script ran.

Not an easy machine to learn on, but thankful for all the nudges that saved me hours of going down rabbit holes (i still spent a good 3-4 hrs a day since this machine came online). I learned a lot, but would not recommend this to a beginner unless said beginner is resilient to frustration (i feed off frustration).

Every time I try to run the file on the users Desktop I get the error:

This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.

Tried to reset the machine, tried multiple file methods with msfvenom… i don’t know what more to do… anyone with the same? What am I doing wrong?

Still didn’t get any further with this machine. No idea what I’m missing, did some medium-rated machines as well already, honestly don’t know why this one is rated easy.
Still on the secret page. Looked through my enumeration outputs a thousand times now. Can’t see anything I haven’t seen before.
Tried to go the “what about URL instead of uploading a file” route by spinning up a small webserver to dump the HTTP request the machine is doing when trying to uplod a file there. Nothing special, extremely basic HTTP request.

I’ve now left this secret page and went back to the frontpage to see if I can get somewhere with injection. Seeing the type of injection it’s vulnerable to, I guess that should take some hours though. Probably the wrong route.

If anyone can hand an additional nudge towards the file upload page via PM I’d greatly appreciate that.

Type your comment> @sicario1337 said:

Type your comment> @chbale said:

Type your comment> @spaaze said:

(Quote)
I am struggling on this one aswell…

Have you considered trying url instead of uploading a file and see what it does… then use that to ur advantage? ?

Got it, found it :wink: got user.

I know the exploit for the root part. Try vary different types of msfvenom payload but I couldn’t get the reverse shell back to my machine. I did m****c /I to install the malicious file but nothing happen.
Any one have the same problem ?

I don’t know if I’m on the right track here. I think I have a valid path for user foothold but I need to confirm before going down the rabbit hole :slight_smile:

Feel free to DM.

Any tips/suggestions for root? basically a windows noob. I’ve ran winpeas which I know basically tells me the priv esc but I really can’t work it out on this one :neutral:

Finally got the user flag. Thanks @C31ibarin. Once it clicked, it wasn’t that hard (who would’ve thought).
Don’t try to upload a shell on the secret page you might’ve found - that rabbit hole leads nowhere. Think how you can use the fact it echoes everything back out to you that you give to it through the URL.

Off to root now. :smiley:

Got this. To gain Foothold there are many ways! At least i just found two new exploits in this weak php app.
Root was also a nice way, i can prefer to do it manual and dont use metasploit. Was a nice experience!

If anyone need a nudge, just let me know.

Type your comment> @quangvo said:

I know the exploit for the root part. Try vary different types of msfvenom payload but I couldn’t get the reverse shell back to my machine. I did m****c /I to install the malicious file but nothing happen.
Any one have the same problem ?

There are 2 paths to get you root a met******* way or manual way.
If you know the exploit then a simple google will find what you need.
your on the right path get the right payload for your msfvenom 2 commands and your done.
Or get a meterpreter decent shell and search for the exploit.
![Foalma321] (https://www.hackthebox.eu/badge/image/74636)