So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and I’m struggling to find the backup file - tried common extensions and also vim-style file naming but no luck…
So far I have have enumerated ghosts and files on those, seen the error message on one of the files, found the login where the ide is (but no creds), and I’m struggling to find the backup file - tried common extensions and also vim-style file naming but no luck…
Collect all discovered directory names and filenames (without extension), put them into a custom dictionary file and run dirbuster/dirb/gobuster/etc. using different “backup” extensions and different vhosts. If you want to execute a “full” search, you should add "dot"filename strings to the dictionary file too.
Rooted! User part was very interesting and had so much fun.
I guess there is another way to root, rather than mixing vulnerable code and enumeration, if anyone has rooted with another way, please drop me a message. Apart from root, there is another vhost c**t, what is its purpose anyway??
Thank you @MrR3boot for your awesome craftsmanship.
Fantastic box!
Got user, stuck at last part for root.
got unrestricted shell for t*n and w******* and have been playing with b.p but nothing seems to stick.
Is this a rabbit hole for root?
Any hints would be appreciated!
Fantastic box!
Got user, stuck at last part for root.
got unrestricted shell for t*n and w******* and have been playing with b.p but nothing seems to stick.
Is this a rabbit hole for root?
Any hints would be appreciated!
Update:
Just rooted. went for the rude approach. resetting box.
Hi all, I’ve been enumerating for almost a week now and still unable to find the “bak”. Wonder if I’m just using the wrong wordlists? Though I’ve tried a lot from seclists/dirbuster already. I know it could possibly be related to vim, and have accounted for it in my enum.
Any nudge in the right direction would be much appreciated!
Hi all, I’ve been enumerating for almost a week now and still unable to find the “bak”. Wonder if I’m just using the wrong wordlists? Though I’ve tried a lot from seclists/dirbuster already. I know it could possibly be related to vim, and have accounted for it in my enum.
Any nudge in the right direction would be much appreciated!
Create your own wordlist based on the discovered directory names and filenames without extension. Then try to use different extensions and vhosts.
@pirxthepilot said:
Hi all, I’ve been enumerating for almost a week now and still unable to find the “bak”. Wonder if I’m just using the wrong wordlists? Though I’ve tried a lot from seclists/dirbuster already. I know it could possibly be related to vim, and have accounted for it in my enum.
Any nudge in the right direction would be much appreciated!
Well you are in right direction when you said about vim. Think of other editors. There’s no need of wordlists. Identify the php file which responsible for handling access and try different artifact tools against same php file. Good luck ?
I can’t find this backup file. I fuzzed every known file from the enumeration process with every folder I found with a bunch of common extensions. In my desperation I even tried to brute force all possible 3 letter combos on known files.
Could someone give me a hint?
@testmeister said:
I can’t find this backup file. I fuzzed every known file from the enumeration process with every folder I found with a bunch of common extensions. In my desperation I even tried to brute force all possible 3 letter combos on known files.
Could someone give me a hint?
There is an artifact checker on git which definitely help you out. Good Luck
Finally rooted. The initial enumeration was hard, but after finding the right file the rest was straight forward. I really liked that ff***g exploit, never seen such a beautiful exploit before!
User was torturous and fun at the same time. Learned a lot on the way. Baby steps with a lot of enumeration and constantly combining information that you found previously. Every step felt like a victory.
That one exploit was some black magic indeed! Unfortunately I had some trouble reading the credits I found, and stupidly overlooked a simple fix. Thanks to @clubby789 for giving me a nudge!
Root was really easy once I got on the right path, but very fun and satisfying. Unfortunately somebody had rewritten an important file, so it took me some extra time to get on the right track.
Great box @MrR3boot - thank you for the adventure!