haha this was fun, I did it using the intended way after getting a www-data user before dinner coming back and starting with the info I already had it was clear. super easy. but wondering now what exploit is the priv sc
People keep changing the password because that’s the only way you could know the correct password for that specific service. Research phPass encryption and think about what you could do with the information and access you have.
@JChris said:
I don’t know how to say that without spoiling, so I’ll try my best.
I did enum and found something
From that something I got the credentials to login into an interface
Inside that interface there’s a part where I can see the credentials of a very special wp_user of the Blocky site.
The issue is that people keep changing the password…
You have the correct credencials, but you are using them in the wrong way.
Use the “very special” user and the other info you have, but not in the log in page, but in another service the server is running
Holy bananas… Got user and root flag easily ** Spoiler Removed - Arrexel **. It’s strange how people are talking about www-data, priv sca etc, because I didn’t use any of that, ** Spoiler Removed - Arrexel **
@JChris said:
Holy bananas… Got user and root flag easily using that credential on the right service. It’s strange how people are talking about www-data, priv sca etc, because I didn’t use any of that, all I needed was inside a jar of cookies…
That’s the trick with this box, it’s a rabitt hole anybody can easily go down xDD
The key is (almost times) don’t overthink
Effectively there are two ways to own this system… If you don’t try one thing, you’ll end up to overthinking and, hopefully, own the system with the harder way.
@rek2 said:
haha this was fun, I did it using the intended way after getting a www-data user before dinner coming back and starting with the info I already had it was clear. super easy. but wondering now what exploit is the priv sc
The key on this one is definitely not overthinking. With how much people reset this box and change the password for a particular user, it took me a good 2 hours of spinning my wheels trying to get user & root when the first thing i tried didn’t work (but definitely should have and later did).
@kophjager263 said:
The key on this one is definitely not overthinking. With how much people reset this box and change the password for a particular user, it took me a good 2 hours of spinning my wheels trying to get user & root when the first thing i tried didn’t work (but definitely should have and later did).
@Ruster, not necessarily. I overthought this because what i tried initially didn’t work, but that was because it’s a popular box and “things” get changed sometimes. It sounds like you’re absolutely in the right spot, and you likely already have what you need. It’s just a matter of using what you’ve found and enumerated in the right spot.
@kophjager263 said: @Ruster, not necessarily. I overthought this because what i tried initially didn’t work, but that was because it’s a popular box and “things” get changed sometimes. It sounds like you’re absolutely in the right spot, and you likely already have what you need. It’s just a matter of using what you’ve found and enumerated in the right spot.
@wyliebsd said:
I’m curious where you all found the username “notch” ? I found the password that worked for that user, and easily obtained root, but not sure where you guys came up with “notch” in the first place?
nmap nse scripts for http-* will also spit the username with easy. nmap is god
@r7f5 said:
Effectively there are two ways to own this system… If you don’t try one thing, you’ll end up to overthinking and, hopefully, own the system with the harder way.
@rek2 said:
haha this was fun, I did it using the intended way after getting a www-data user before dinner coming back and starting with the info I already had it was clear. super easy. but wondering now what exploit is the priv sc
Are you interested yet?
hey, I already got this one last week when I wrote this. and the priv was even easier. about to finish Holiday now.