Official Analytics Discussion

" sudo nmap -sS -p- -Pn -n --open --min-rate=1000 $IP -oN ./Scan_1.txt Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-01 16:38 EDT Nmap done: 1 IP address (1 host up) scanned in 132.38 seconds" I do the nmap scan and nothing comes,need help

stuck with privesc don’t find any thread to pull from…

Just pay attention to you what you find in enumeration. Keep it simple and follow your basic privesc checklist. You should then be able to find an avenue to go down.

Well, that was quite a journey.
Not terrible hard, but everything you try seems to fail due to some mysterious reason the first time you try it.

Foothold: you don’t need Burp collaborator. Look for a better exploit, there is one in python that gives you a reverse shell.
User: look for better tools to enumerate. It’s quite obvious when you see it. I also find that PayloadAllTheThings is a great ressource when I don’t know something.
Root: I used the hot new vulnerability. The exploit was terribly unreliable on my side.
But there is a one liner to check if the system is vulnerable. So when you know it’s vulnerable, you know it should work. Go watch ippsec video, adapt the exploit. And try harder and try again and again with different offsets. It should work at the end.

Cheers

Hello. I was able the first shell on Analytics. However, I was expecting to see a user flag in the user’s home directory, but there’s nothing there. I did the usual ls -la but nothing is there. I am in the user’s (/home/metabase). Am I not in the right place?

Never mind…I figured out I wasn’t really done with getting the real user. Got it now.

I am getting incorrect flag after i submit the user.txt present in home directory ending in 6ac .
i have already reset the machine once…
Any inputs?

1 Like

Someone having trouble accessing the website? Here when I run nc 10.10.11.233 80 -v it says: “Connection Refused”

I don’t know if this implies in something but, in /etc/passwd file, the shell for metabase and root users are /bin/ash instead /bin/bash.

EDIT: Nevermind, got a connection.

Were you able to get them to work. I cant get either flag to work one ending in 174 and one ending in 6ac. All it says is the flags are incorrect. After rooting the box, I’m looking at both but nothing is working

It took a loong time, but finally, rooted:

I sent you a message to ask about the flags. I provided both a censored version of root and user. Not sure why mine dont work :frowning:

Following up on this: I had to revert the box to get it to work. Almost like someone messed with both flags. After the revert, I had both flags submitted successfully!

Is anyone trying this machine? It’s been days I’m trying to reach subdomain but it’s always down.

EDIT:

don’t know what to say, deleting and rewriting /etc/hosts with the exact same thing, solved for me.

Same issue - Don’t know why but last week I had try some other boxes as well. None of them were stable. That one is too. Not stable and not giving you able to reboot it. Don’t know why

Interesting exploits. Thank’s to the creator :slight_smile:

FOOTHOLD : not many things exposed so obvious
USER : arf! :upside_down_face: Enum until the end of what you see
ROOT : you’re on the right track. Enough hints (only one is useful). Just keep trying.

The box is not working, I can’t ssh into the user, but I certainly have the right username and password, there is always the error Permission denied, please try again.

env

Hi, is this box bugged?

/api/sessions/properities/ says “API endpoint does not exists”

Got user and root.

Enum: Do not go deep. You need basic skills and ports.
Foothold: It is straightforward, use your OSINT skills. Dig but not too far. Play with MisSFortune or Snake3.
PrivEsc: Which are the basic linux files? Read them trough. If you cant, check which horse you mounted.

note1: In term of exploits, there is difference between potato fries and french fries, check them both.
note2: you may need to restart the machine after failed attempts.

Havefun.