Enumerate Enumerate …got it and root too
Looking for some hints. I have enumerated found 3***. Found a root password. Stuck on exploiting 3***. The exploits I’ve found talk about manipulating the cookie. Need some pointers. Thank you.
hey I’m still new in here so not sure how it all works, I found all 5 creds from port 3*** and got the login pages in port 8*** and /L***** and /m***** still cant login tried also changing from caps letters to small and vise versa still stuck pointers?
@BicNasty said:
Looking for some hints. I have enumerated found 3***. Found a root password. Stuck on exploiting 3***. The exploits I’ve found talk about manipulating the cookie. Need some pointers. Thank you.
Research about JWT using Curl.
I personally learned from it
Type your comment> @deleite said:
Finally rooted.
I took me a while. Frustrating machine.
Tips:
Use the db credentials with another user name in the ‘Webservice’
Retrieve the usernames, but you also need to retrieve the passwords, using the same webService.
Some login forms are useless, use the credentials obtained before to login onto a webapp.
Once inside the webapp, it’s straight forward.
User and root come together.
Is there more than method to get in ?
I think I found an article on how to create the J** but I’m having issues with the syntax I think. Anyone able to look my stuff over? PMs open.
I got only one set of creds from a directory, can someone give me a nudge on how to get the other set of creds? I think the previous comments said to get the other creds thru poking around on the high ports?
Rooted.
I have mixed feelings about this machine. Part of me hated it part of me loved it.
Type your comment> @BicNasty said:
I think I found an article on how to create the J** but I’m having issues with the syntax I think. Anyone able to look my stuff over? PMs open.
Typically speaking, J** forgery is going to require one of two things:
- you are in possession of some sort of key which permits you to sign the forged token in a way that the server will accept that it is valid or
- some sort of bug or design flaw in the process of validating tokens such as not checking the signature or doing something else equally bad.
If you don’t have any sort of key and you’ve tried sending an unsigned token and/or if you’ve signed a token with a key or just made up a signature and it didn’t work, there’s probably a significant chance that the code is correctly validating signatures and you may need to find another way to approach the problem.
@deviate Thanks for the hint. I have only found one credential in a c*****.p** file. Is there another one I need to find?
Type your comment> @BicNasty said:
@deviate Thanks for the hint. I have only found one credential in a c*****.p** file. Is there another one I need to find?
There are hints earlier in this post saying something like “what’s another name for root” which is relevant here.
@deviate Thanks for the hint. I have only found one credential in a c*****.p** file. Is there another one I need to find?
@deviate THANK YOU. Stupid me.
I have a token now. Just trying to figure out the syntax for the next step.
Finally owned it. My first box. Bit tricky at the start, but then it’s easy. It’s funny I got the root first and took me a few minutes after to get the user. haha
I have found c********** from c*****.*** and i found login entry /l****.*** and /m********* on the port 8* i already tried to get some t***** at port 3*** but nothing is working can someone hint me if i missed something
at last i owned it !!! yeahh … play around with JWT… u will get the answer…and please dont make a wrong copy paste …
hits:
1- get the :3***/l**** using cl
2- again using cl with credential token get :3**/u****
3- Play around with all users that u have …
4- Enjoy HAckin9 …
FInally got it too, with some help though. I struggled to get auth working but i was so close (wrong endpoint used and small mistake in syntax). After that it’s rather smooth really. My tip would be: Make sure to really play around with users, mix and match so to say.
Thanks @H4d3s for the box! I learned so much (Don’t trust one single tool to always be the best option, enumerate enumerate enumerate, dare to play around and think outside of the box)