Last Active


  • Of course if there is something wrong with the box, you can always reset it :) I was a bit worried how the app behaves under load, but it seems to work relatively ok. (There is one thing that's not thread-safe and I left it there intentionally. It m…
  • use the source @lurchman . Perhaps google for "exploiting *******" based on what you see there. Internet will tell you many things if you search for known vulnerabilities and flaws in some technology/library/framework/component.
  • I kind of tested pivoting at one point because some machine had blocked reverse outbound connections. So I thought maybe I could just piggybag from another machine I had rooted. But that's not how it's supposed to work of course :)
  • @underd0g read some more files. You don't need to guess arbitrary filenames in this case :)
  • Four suggestions. * Google for some more ideas. Here's one article that has some basic ideas about Linux privesc: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ * Look at IppSec's videos. There you get more good ideas. * Whe…
  • pretty much any tool and any web site discovery list should be as good as it gets :)
  • @h3kd3w google won't help, but you don't need to guess out-of-nowhere what is the name of the user or what is the user's password or something like that. Basic enumeration and paying attention to what is there will provide the necessary information…
  • This thread is pure gold! For what it's worth, here are my thoughts on the subject. I put -v for nmap so that it prints out it's findings during the scan before it is finished, but otherwise the same as others here. If necessary, split the port r…
  • @Frey well, if you say that component/service "XXX" is the key, that narrows it down pretty totally. It's perfectly nice to help people, but putting that in the open removes the joy and delight of finding it from someone who would've found…
  • @Frey well it is pretty major spoiler. You can always send a message if you want to tell a single person something.
  • @genxweb similarities to one other machine were totally coincidental. That machine hadn't been released when I submitted this :)
  • @ph3on1x :) yes, you have to think analytically though you don't need to make an arbitrary guess out of nowhere :) or bruteforce with wordlists.
  • @Narmu you need to log in to the machine to find a way to privesc. Reverse shell is a good idea :)
  • I think mentioning explicitly which vulnerability you should (or could) use counts as a spoiler. Though in this case it's sort of easy to guess that as the machine isn't that difficult intentionally.
  • There are at least three paths :) One of these is totally unintended and I didn't even realize it before :astonished: DesignOops.
  • @FFEJ bruteforcing is not required. There might be more than one way to skin a cat, but it doesn't require arbitrary guesswork or bruteforcing.
  • You shouldn't rely on automated enumeration scripts. Research the machine on your own.
  • This is not strictly a hint, but the machine was designed to not require arbitrary guessing or finding the right wordlists because I don't really like that kind of hacking :) So the hints are not hidden, they are there. I hope you like it.
  • In some cases, yes. I kind of tested it. But is it necessary or useful? For the machines not really.
  • There seems to be so much hinting in this thread that it should be plenty enough :)
  • yes, quite confusing. I also noticed the XSS and then there is another *** thing which kind of seems relevant, but I haven't been able to use it for anything useful so far. And there is a third thing behaving in a way which would suggest that there…
    in Nightmare Comment by lokori May 2018
  • The source code comments suggest that RCE is tricky and also gives some hints about the right/wrong idea to get RCE. You said that you know the type of attack, but are you sure you have analyzed all the different paths to RCE with the programming l…
  • Do as the assignment says. Use IDA.
  • you could try sleep as the payload if you are not getting output back but want to verify that remote command is executed. sleep(2), then sleep(5) and after a few requests you can be fairly certain if the commands are executed. Obviously you need to …
  • Since that post I have also added -l option to Dirbuster so that I get the length of server response in addition to HTTP status. Sometimes the length makes all the difference to find the interesting one compared to "normal".
    in Rabbit Comment by lokori April 2018
  • The two more difficult hashes might be uncrackable. The 10 easier ones should be useful, or at least some of them are useful. I'm struggling with a certain payload I have in my hands. My payload is in a way "accepted" by a certain system …
    in Rabbit Comment by lokori April 2018
  • I got so fed up with 500 that I wrote a simple Python program to give me a "shell" .. using RCE by uploading each command separately :) It's rather difficult to know why a reverse shell doesn't spawn like it should if you are blind. But if…
    in Canape Comment by lokori April 2018
  • If you have enumerated for 10 hours and haven't found anything, the hint you are looking for is probably this: PAY ATTENTION.
    in Olympus Comment by lokori April 2018
  • As a general note, if the low level user was granted DBA rights, that would be awesome for the hacker. But that would spoil the fun for all other hackers who log in with that user, because there would be no challenge after the user is already a DBA.
    in Silo Comment by lokori April 2018
  • The payload must be "handled" properly. I had to use the editor in the proxy to tweak my upload request after sending it from curl. This thread now contains multiple hints. Thorough research for all possible ways to get execution with the…

Howdy, Stranger!

Click here to create an account.