Mango

sogonsec · October 27, 2019, 4:51pm

Everything is self-contained. Brute forcing is useful here, but probably not the method you’re speaking of.

thicksec · October 27, 2019, 5:42pm

im stuck in analytics
any tips dirbuster is not finding anything

verdienansein · October 27, 2019, 6:37pm

Guys stop to ddos the machine.

MrR3boot · October 27, 2019, 6:41pm

There’s no need to think about other (codepen/flex/etc/etc) domains. What you needed is already there. Stay in scope and Have Fun

LoRKa · October 27, 2019, 7:22pm

i want mangos Amigo, but after enumerate by hours and getting lost in rabbit holes, i think i need a hint.

peek · October 27, 2019, 7:35pm

who said easy ?

GordonFreeman · October 27, 2019, 7:38pm

Well, first look at this I was thinking I needed to try to connect to a remote json or upload a local json shell, always seems to spit out an error about formatting or xforward orgin so not sure where to look next with this, any nudges in the right direction?

naveen1729 · October 27, 2019, 7:52pm

good box @MrR3boot
for user, the name of the box is key, you need to make a certain ‘leap’ if it’s not part of your normal web pentest methodology. no amount of brute forcing will help and it’s easy to fall into the rabbit holes.
once you make the leap, user and root are very straightforward.

thicksec · October 27, 2019, 8:32pm

Type your comment> @LoRKa said:

i want mangos Amigo, but after enumerate by hours and getting lost in rabbit holes, i think i need a hint.

did you find anything im just like you

skulled · October 27, 2019, 8:50pm

Initial foothold is really annoying…

peek · October 27, 2019, 9:07pm

Type your comment> @skullkiddo said:

Initial foothold is really annoying…

LOL yeah

rowra · October 27, 2019, 9:11pm

Removed spoiler-ish stuff + nvm @naveen1729, apparently I don’t know how that command works lol, way too tired, thanks

naveen1729 · October 27, 2019, 9:15pm

Spoiler Removed

rowra · October 27, 2019, 10:08pm

– edit: removing question, might as well replace with some hints

user: enum everything and once you’re stuck look for apps/backends that could run on the box that match so well with the box’s name. Then use one of the things you found during enum to interact with it (you don’t need to actually know the stuff’s syntax, just google) and enumerate users and their passwords.
It’s pretty infeasible to do without writing a script on your own. It gets irritating even like so. The web server seems to be very picky about the requests it accepts, you need to mimic a captured request very closely, all headers and all…

root: pretty generic, enum, exploit with a single command

zkvo · October 27, 2019, 10:36pm

stuck on login page, can’t order mango. gobuster not finding much on all domains/ports

peek · October 27, 2019, 10:44pm

Type your comment> @zkvo said:

stuck on login page, can’t order mango. gobuster not finding much on all domains/ports

im also stuck, dont tell me it’s another guess-the-pass machine

rowra · October 27, 2019, 10:52pm

Type your comment> @peek said:

Type your comment> @zkvo said:

stuck on login page, can’t order mango. gobuster not finding much on all domains/ports

im also stuck, dont tell me it’s another guess-the-pass machine

it’s guess-the-backend machine but at least it’s kinda easy-ish. After that there’s no guessing involved

east · October 27, 2019, 11:02pm

Rooted. Fun box!

User:
Once you find the login page, consider the name of the box. This will allow you to get some creds. You will likely need to write your own script. You don’t need to guess.

Root:
gtfobins.

clubby789 · October 27, 2019, 11:05pm

Rooted! Fun box! Big thanks to @rowra for helping me work round my very poor internet connection.

User: The box name is helpful in two ways. Consider your normal route, and change something. There’s some rabbitholes.

Root: Not hard, basic enumeration and gtfobins

rholas · October 28, 2019, 1:10am

Spoiler Removed