Official Delivery Discussion

Getting user has me so confused and struggling as a result. I’ve discovered the contact us workflow, along with the the additional areas of logging in that agents and people with the account can access, but from there I have hit a wall.

I don’t know how to make that subdomain point to the right place.

@John5hade said:

I don’t know how to make that subdomain point to the right place.

You need to add it to your hosts file.

The hosts file isn’t DNS, it doesn’t allow other lookups. If you have 10.10.10.10 example.com in your hosts file and you visit www.example.com, the hosts file wont work. You need to add an extra entry for each subdomain you want to resolve.

@dewest91 said:

Getting user has me so confused and struggling as a result. I’ve discovered the contact us workflow, along with the the additional areas of logging in that agents and people with the account can access, but from there I have hit a wall.

Step back and rethink.

Try things and see what happens. One of them lets you create things. Create a thing. Look at what else it gives you. You can now use that to access the other place.

Type your comment> @TazWake said:

Create a thing. Look at what else it gives you. You can now use that to access the other place.

I have the thing that I need to access the other place. But all I know is the port, and attempting to connect with netcat gives me a 400 Bad Request. Reading this forum makes me think I’m off track, pretty sure this isn’t supposed to be the tricky part.

Is this an OSINT step?

Got the user pretty quickly and found the h***hs. Not sure what to do next. Spent hours configuring various rules etc. but none of them worked. Not gonna spend anymore time on this box but the user part was fun.

@leadOctopus said:

Type your comment> @TazWake said:

Create a thing. Look at what else it gives you. You can now use that to access the other place.

I have the thing that I need to access the other place. But all I know is the port, and attempting to connect with netcat gives me a 400 Bad Request.

That implies that your netcat connection isn’t sending a valid HTTP request.

Does it work when you use a web browser?

Reading this forum makes me think I’m off track, pretty sure this isn’t supposed to be the tricky part.

Accessing it isn’t supposed to be tricky. Getting an account needs some creative thinking.

Is this an OSINT step?

Not as far as I am aware.

I feel like I must be missing something; I’m going for root.

I’ve got the root hash, cracked it, and am staring at what looks to absolutely be the root password based on all of the hints. However, can’t seem to log in as root (to either the machine or mattermost server). Feel like I’m missing something stupidly obvious…

@ofsmul said:

I feel like I must be missing something; I’m going for root.

I’ve got the root hash, cracked it, and am staring at what looks to absolutely be the root password based on all of the hints. However, can’t seem to log in as root (to either the machine or mattermost server). Feel like I’m missing something stupidly obvious…

If the password you have starts with P, then it might be the right one.

How are you trying to switch to the root user account?

This was a really fun box, a great way to learn some skills in a constructive way.

This box has a focus on enumeration, EVERYTHING you need is there, don’t make things hard for yourself, I speak from experience :wink:

Without realizing it, you are taken through basic enumeration for hints (almost instructions), to then checking for the things that you should always check, then onto tool usage that should be bread and butter. This was a well thought out and crafted box.

@ippsec This was a great instructional box, please, more like this please :smile:

Could I get a little nudge in the right direction with what rules and what lists are required in the step which requires these 2 things? No combination I tried works :frowning:

Type your comment> @TazWake said:

That implies that your netcat connection isn’t sending a valid HTTP request.

Does it work when you use a web browser?

Indeed, my netcat request didn’t have a User Agent or anything like that, so I imagine it probably was invalid. It does not work when I use a web browser, so I wasn’t sure how to form the request in netcat/burp/etc. But, it sounds like it should work in a web browser?

I’ll have to try resetting my box and trying it again at some point today.

I thought maybe there was an OSINT step where I had to find the raw request form online somewhere and submit a login request that way, but wasn’t having any luck.

@leadOctopus said:

Type your comment> @TazWake said:

That implies that your netcat connection isn’t sending a valid HTTP request.

Does it work when you use a web browser?

Indeed, my netcat request didn’t have a User Agent or anything like that, so I imagine it probably was invalid.

Sort of, but its a bit more than that. A user agent string is the least of its worries.

With netcat you cant send valid HTTP by manually entering the minimum required fields.

GET / HTTP/1.1
Host: example.com

Then you should get a valid HTTP response rather than the server just getting confused.

You can even be more minimalist with GET / if it will process HTTP0.9 type headers.

Using netcat to access HTTP is really painful though, typos and remembering to finish the request with a blank line make it a lot harder work than just using a browser and looking at the errors it generates.

It does not work when I use a web browser, so I wasn’t sure how to form the request in netcat/burp/etc. But, it sounds like it should work in a web browser?

Yes. What error do you get in the web browser? That might be more informative.

Interesting box, but some of the nudges in comments may mislead in obtaining root… I went a rabbit hole after a comment from someones that h*** is in ‘User’. Just avoid cracking the first h*** you get when login with low privs like I was trying to do. It’s NOT really THAT SIMPLE :smiley:
For the root… just follow the ‘root’ in the place where you got an answer of what to use for getting access to the box with low privs, the h*** you need to crack is somehow related to that ‘place’ :wink:

Type your comment> @TazWake said:

Yes. What error do you get in the web browser? That might be more informative.

I reset the box and now I can access the portal. I’m beginning to think I might have been stepping on my own foot by running dirbuster in the background, maybe I was making too many requests of the server before. Something to be careful of, perhaps.

Thanks for pointing me back in the right direction.

I can’t seem to track down the last bit at the end. I think I know where it is though, except my hunch involves logging into another thing once I’ve gotten a user shell, and all attempts to log into it tell me that I can’t log into it as me (or as anyone) from localhost. I even imported the find binary to help me find config files I might have missed, which maybe contained something I can use, although, I’m not quite sure.

I just need a gentle nudge, am I on the right track?

@leadOctopus said:

I can’t seem to track down the last bit at the end. I think I know where it is though, except my hunch involves logging into another thing once I’ve gotten a user shell, and all attempts to log into it tell me that I can’t log into it as me (or as anyone) from localhost. I even imported the find binary to help me find config files I might have missed, which maybe contained something I can use, although, I’m not quite sure.

I just need a gentle nudge, am I on the right track?

Assuming that it is the service I think you want to log into:
There are credentials for it, somewhere. Use those and you will be able to login.

EDIT:
No need to use find. Simply look into the other applications’ folders, and you will find what you seek.

@HomeSen said:
Assuming that it is the service I think you want to log into:
There are credentials for it, somewhere. Use those and you will be able to login.

Thanks! I did eventually track them down. Learned how to recursively scan the files in a directory for a string too, which might come in handy as time goes on.

I found one crackable thing in that service. So far it’s pretty resistant to my efforts. I must have the wrong wordlist.
I’ve tried rules, custom permutations of the hint on the internal forum (“P…”), even the combinator. The value is computed using an algorithm with a fishy name. But so far, that’s as far as I’ve got.

@leadOctopus said:

@HomeSen said:
Assuming that it is the service I think you want to log into:
There are credentials for it, somewhere. Use those and you will be able to login.

Thanks! I did eventually track them down. Learned how to recursively scan the files in a directory for a string too, which might come in handy as time goes on.

I found one crackable thing in that service. So far it’s pretty resistant to my efforts. I must have the wrong wordlist.
I’ve tried rules, custom permutations of the hint on the internal forum (“P…”), even the combinator. The value is computed using an algorithm with a fishy name. But so far, that’s as far as I’ve got.

Sounds like you are on the right track. Combining the hints with the best 64 rules should give you a result after a reasonable amount of time (on my GeForce MX150 it took roughly 6 minutes).

@leadOctopus said:

I found one crackable thing in that service. So far it’s pretty resistant to my efforts. I must have the wrong wordlist.
I’ve tried rules, custom permutations of the hint on the internal forum (“P…”), even the combinator. The value is computed using an algorithm with a fishy name. But so far, that’s as far as I’ve got.

I found building my own wordlist was a lot, lot quicker.