Official Doctor Discussion

Definetely not an easy box, but big fun and learned a lot

As often, user is the harder part, root is very well documented, just use what already exists. For User and Root: enumerate, enumerate, enumerate very carefully

pm me if you need a hint

I was able to get to the login page but I don’t understand why it worked and really want to know before moving on. I’d appreciate if someone could PM me about that

@0xL said:

I was able to get to the login page but I don’t understand why it worked and really want to know before moving on. I’d appreciate if someone could PM me about that

It depends what you mean about why it worked.

I suspect your question is down to how HTTP works and the way the hosts header works.

Yes, I didn’t want to say too much but that little bit you just said is enough for me to go and do my own research. Thanks

Hello guys, i’m stuck on getting the user, i’ve seen that it’s par of some groupe but i got nothing from there !

could you please give me a little help ?

Thanks :slight_smile:

Update : i got it ^^

Hi, thanks everyone for the hints.
I managed to get user & root.
Foothold : very interesting way of injection
User : enumerate… there is one thing you have access to…
Root : pretty simple

hello guys, is it normal that I can only see a single page on this machine?
I tried gobuster but it can only find css, images, fonts, and js

any idea?

nevermind :slight_smile:

how to use the exploit for the root i cant use any command cause of the bash term

Type your comment> @N00p said:

how to use the exploit for the root i cant use any command cause of the bash term

never mind rooted the box

Just rooted it. Excellent box, although definitely harder than what I was expecting for an “Easy” box.

The only hint I want to add to the many already given is that there are variations of the “quiet” exploit and not all work.

Beginner here working on foothold. I’ve managed to upload a test script and track down the output. I assume I need to use n* to launch a s**** but I have no idea how to figure out what payload to use or how to format it. Any good sources to learn this?

@Vomocer said:

Beginner here working on foothold. I’ve managed to upload a test script and track down the output. I assume I need to use n* to launch a s**** but I have no idea how to figure out what payload to use or how to format it. Any good sources to learn this?

You don’t need n*. There is a site which covers payloads for all things. Find it and have a look. One of them works really well here.

Type your comment> @LeChatP said:

GG to 2 First blood

Mate, noob here. First box. Did a few scans, got open ports. But a little Nudge Anyone ?

@SydneyJR said:

Type your comment> @LeChatP said:

GG to 2 First blood

Mate, noob here. First box. Did a few scans, got open ports. But a little Nudge Anyone ?

It depends what you are stuck with.

If you have something you can post data to, try different attacks and see what works.

If you don’t, look closely at the information you have and modify how you are requesting pages.

@TazWake is it cool if I DM you? I think I’m close and missing something dumb since I’m new but I don’t want to post any spoilers here

@Vomocer said:

@TazWake is it cool if I DM you?

Always.

I think I’m close and missing something dumb since I’m new but I don’t want to post any spoilers here

I has been get shell via SI, and executed the li***.sh to enum some info for privesc, i noted the lo*****te seem like vuln.
Am i on the right way?
I has stay this step for a while, could anyone give me a nudge?

Type your comment> @JasonChang said:

I has been get shell via SI, and executed the li***.sh to enum some info for privesc, i noted the lo*****te seem like vuln.
Am i on the right way?
I has stay this step for a while, could anyone give me a nudge?

Ohh, i found the way to user1!

I am bit stuck on initial shell.
I cant seem to find a valid path forward I found S***** and know this is my way in. I tried the different default creds I could find but no luck so far. I looked through forum and see that people suggest looking closer at the home page but am not seeing anything obvious. Can anyone help me?

@Droctapus said:

I am bit stuck on initial shell.
I cant seem to find a valid path forward I found S***** and know this is my way in.

It depends what that means. The way in is ****. You are mistaken if you think something running on a very high port is the way to get a foothold.

I tried the different default creds I could find but no luck so far.

That is a decent sign you are attacking the wrong thing.

I looked through forum and see that people suggest looking closer at the home page but am not seeing anything obvious. Can anyone help me?

Look closely at it. See what it says. Use that. Access the different thing. Examine it in detail. Exploit it. Get a shell.

What you think is a foothold is better for privesc.