When I try to run python ***** 10.10.10.198 I get this after the BOKU sword.
Traceback (most recent call last):
File “-----”, line 90, in
s.get(SERVER_URL, verify=False)
File “/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 546, in get
return self.request(‘GET’, url, **kwargs)
File “/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 533, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 640, in send
adapter = self.get_adapter(url=request.url)
File “/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 731, in get_adapter
raise InvalidSchema(“No connection adapters were found for ‘%s’” % url)
requests.exceptions.InvalidSchema: No connection adapters were found for ‘10.10.10.198:8080’
You are missing something very simple in your request. Read the script and have a look at what is getting appended, or better yet what ISN’T being appended.
You also just gave away the python script number. Maybe remove that from your post.
@meb22f102 said:
I have gained user access, but cant figure out to to escalate to root… can any one give me a nudge… I have got the mysql creds and tried connect via remote tunneling but did not work.
@roigershon15 said:
Hi Guys, i have found a s****t to exploit the machine, however i get the following error message: when i use python:
import sys, urlib, re, requests
ImportError: No module named requests
when i use python3 i get another error:
print header();
SyntaxError: Invalid syntax
Please help me continue this machine
Okay so you need to learn how to read python error output. I would suggest doing a basic python course and learning how to script a little bit.
The first error is because there is no module named requests in your library. It literally says it in the name. If you google that error message then it will tell you how to install that module. Hint: It involves pip.
For the second error, this is because python uses different syntax to python3. If you get syntax error then there is a good chance that it is a python script, not a python3 script.
It isn’t a shell. Look at the exploit instructions and see what type of exploit it is. Then read the code a bit and see where the POC author has made a mistake in the instructions, work out what you need to do and exploit the box.
Found an exploit that uploads a file. After some modification for syntax errors in the exploit i finally made it say “Successfully connected to the webshell” instantly followed by “Exiting.”
What am i doing wrong here?
I used python3 and edited a bunch of syntax errors. Should i go back to python, and then figure out to install the additional dependencies?
Found an exploit that uploads a file. After some modification for syntax errors in the exploit i finally made it say “Successfully connected to the webshell” instantly followed by “Exiting.”
What am i doing wrong here?
I used python3 and edited a bunch of syntax errors. Should i go back to python, and then figure out to install the additional dependencies?
It is difficult to say because it depends on what exploit you found and how you modified it.
At a guess, I’d suggest its something along the lines of you’ve found an RCE exploit and tried to turn it into a webshell exploit, which it doesn’t like. It might be better running it as is with the correct version of python for the exploit .
Working on the snake program to make it an .executioner and root the box.
uploaded it and ran it, but am not seeing any evidence of it working. Have tried using it to run commands and even a batch script to run n*.exe but still nothing. Is this right or am i going down a rabbit hole?
Working on the snake program to make it an .executioner and root the box.
uploaded it and ran it, but am not seeing any evidence of it working. Have tried using it to run commands and even a batch script to run n*.exe but still nothing. Is this right or am i going down a rabbit hole?
The challenge is that there are about a dozen exploits to pick from, so it really hinges on which you went for and how you modified it to suit your needs.
I found it much easier and faster to point the victim at my machine rather than mess about with recompiling things.
Working on the snake program to make it an .executioner and root the box.
uploaded it and ran it, but am not seeing any evidence of it working. Have tried using it to run commands and even a batch script to run n*.exe but still nothing. Is this right or am i going down a rabbit hole?
The challenge is that there are about a dozen exploits to pick from, so it really hinges on which you went for and how you modified it to suit your needs.
I found it much easier and faster to point the victim at my machine rather than mess about with recompiling things.
yeah, I see where this could get confusing if I am not more specific.
the snakey program i found will run command. but i thought perhaps if i point somewhere else like at a cat caught in a net maybe i could have a shell.
this didnt work.
so i just ended up finding a program that downloaded a bit of precipitation known to float in the sky and looks like cotton on the target. and there seems to be a snakey script for that too.
I am curious if this is the route to take. although your comment about not compiling has me a bit confused.
some other posts talk about getting scripts to work without an interpreter…But i am unfamilliar with this and havent come across any google resources that explained it.
yeah, I see where this could get confusing if I am not more specific.
the snakey program i found will run command. but i thought perhaps if i point somewhere else like at a cat caught in a net maybe i could have a shell.
this didnt work.
The logic seems sound.
so i just ended up finding a program that downloaded a bit of precipitation known to float in the sky and looks like cotton on the target. and there seems to be a snakey script for that too.
Ok - it seems that you have found the right target.
I am curious if this is the route to take. although your comment about not compiling has me a bit confused.
You don’t need to compile anything. I didnt.
some other posts talk about getting scripts to work without an interpreter…But i am unfamilliar with this and havent come across any google resources that explained it.
There is a way to make something that points inside point to your machine. Then you can use the tools on your machine as if it was there.
Fun machine.
I haven’t learned a lot, but i discovered that a tool i was pretty accustomed to is now deprecated…
User: enumerate till you find what they want you to know. Then just google it the easy way.
Root: again: enumerate till you find a huge hint towards the resolution. Once you get it, google it the easy way and then you must just make a few changes…
This is a nice box and really straight forward. My only advice is on root. I found there are multiple posted exploits for the vulnerability. Their payloads and how they instruct you to build your payloads will vary. Don’t get discouraged if it doesn’t work or be afraid to try crafting a different payload. I used two before finding the correct one.
Feel free to DM for a nudge and thank you @egotisticalSW for the box!