Official Agile Discussion

Rahul_Baylan · March 12, 2023, 5:54pm

need hints for root

tec · March 14, 2023, 8:35am

machine silently patched without changelog?
a secret changed to unknown urandom(32).

ashawe · March 15, 2023, 1:01am

I have a similar issue where I don’t know where to start. I’m trying to get directories / pages and subdomains but no luck so far. Can you give me a hint?

tec · March 15, 2023, 1:20am

Do you get the correct domain? noting the redirection.

ashawe · March 15, 2023, 2:37am

What do you mean by redirection/correct domain?
I’m only getting agile.htb as nginx default page and didn’t find any other directories/subpages when using a medium dirbuster wordlist.

tec · March 15, 2023, 3:17am

try with ip, or some arbitrary subdomain.
you would encounter 301 when fuzzing vhost/subdomain.

Newuser · March 15, 2023, 10:47am

Can Anyone help me with the foothold?

Newuser · March 15, 2023, 11:51am

Can you help me here? I found the LFI but I don’t know what to do besides looking into /etc/passwd to find potential usernames.

guh · March 15, 2023, 3:01pm

Help with werkzeug console pin exploit , please DM

Paradise_R · March 15, 2023, 3:34pm

Try to look into the source code, its path is visible in the error logs

hatecomputers · March 15, 2023, 3:41pm

@tec already posted up in the comments, but the foothold might have changed (silently, apparently). I’m talking some info you might find yourself trying to extract from a specific file.

UPDATE: Apparently it has been added yesterday.

aymanabouhamra · March 15, 2023, 6:57pm

Hey guys, this was a tough one for me. At last, rooted!
DM me if you need help / hints

PhiLight · March 15, 2023, 8:35pm

I’m stuck at first user. I tried a lot of things, but I’m not sure how to proceed. Any hint/help would be great. I’ve been at it for a week

tec · March 16, 2023, 5:52am

Maybe not anymore after the latest patch.

mar11 · March 16, 2023, 2:25pm

Hi there! Can anyone PM me and guide me a bit withing this box? I’ve already checked all the paths I’ve found and got stuck… I have lfi, have app’s source code ect. But I see that the app is probably patched and the cookie+idor path can’t be used anymore. I also tried to reverse Pin but with no luck. Have a feeling I’m missing something obvious…

hatecomputers · March 16, 2023, 3:43pm

I’m in the exact same place as @mar11. Can someone give me a nudge on that?

greder · March 16, 2023, 8:48pm

I’m trying to see the source code of the application but I can’t get the path of the application

XVX · March 16, 2023, 8:48pm

Can someone tell me if reversing the *** for the c***** is the right track as I don’t think IDOR or cookie mods are possible since patch.

XVX · March 16, 2023, 8:49pm

check errors

greder · March 16, 2023, 8:52pm

llevo ya casi una hora e probado todas las rutas que salen en los errores y nada