@archer23 said:
Is there some sort of method besides altering “H***:” in the request to find the thing?
Well, you can update the file on your system so you can just make normal requests in your browser.
Alright…I’ve been banging my head on a wall…did that for a few days, left, then decided to come back, banging on the same wall again.
I’ve read all the posts in this thread and i am apparently seriously behind in my injection knowledge. people keep talking about s**i but having the right **, but allthethings only has sqli (of those that fit that pattern), or maybe im just tired…i dont get it. my enumeration, in general, always sucks; so im thinking most of the time you need experience (whether it’s researching with the right resources or encountering similar vulnerabilities before - but man, this one stumps me). I need a serious nudge here; i dont even know what help to ask for at this point…i guess help on identifying the inject point? Ive popped open burp, poured over source code, looked at soooo many responses, but i have no idea what to even look for to know that a specific field or parameter is vulnerable.
Thanks for any assist!
@unkn0wnsyst3m said:
, but allthethings only has sqli (of those that fit that pattern),
This isn’t correct. The challenge is saying what the letters are is 100% a spoiler.
or maybe im just tired…i dont get it. my enumeration, in general, always sucks; so im thinking most of the time you need experience
Practice really does make perfect.
I need a serious nudge here; i dont even know what help to ask for at this point…i guess help on identifying the inject point? Ive popped open burp, poured over source code, looked at soooo many responses, but i have no idea what to even look for to know that a specific field or parameter is vulnerable.
Take the information in Burp and google it. Google all of it, there is a key phrase here which returns everything you need.
Tried inserting sqli payloads into what might be vulnerable parameters on the messaging app, but I’m getting nothing. Does anyone have an article that teaches us about the source code we are supposed to be looking at? Or any nudge how to trigger said SQLI?
@squirrelpizza said:
Tried inserting sqli payloads into what might be vulnerable parameters on the messaging app, but I’m getting nothing. Does anyone have an article that teaches us about the source code we are supposed to be looking at?
View source might help but basic enumeration is also effective here. The mistake is in assuming you need to follow the path set by the application, rather than looking at what else processes data.
Or any nudge how to trigger said SQLI?
I don’t recall any SQLI on this box.
@TazWake said:
@in3vitab13 said:
got user s****
any hint for privesc , ?
i know s****k is the way…but how, to put approach!Well you probably want a local privesc attack.
I think I am in the same place as @in3vitab13. I’ve done what I thought was the hard work and got a shell as s***n and thought I spotted the path to root quite easily. I am running the local version of a script to target the service (as the default creds can’t be used remotely), but it’s not working, so either I’m running the script wrong or the creds aren’t default. I don’t have permissions to read them from the service directory. Any gentle nudges? Have I missed some enum?
Gah! I had it all along. Just needed some sleep to see it…
Can I have some nudges, please?
I’m in with the user w** and found a password hash inside an slt* db for the user a**i* and now trying to crack it with Johnny as a bcrypt Blowfish but isn’t really cracking open. Otherwise I didn’t find many interesting things. Any help? Is this pass hash a rabbithole?
Type your comment> @rowra said:
Can I have some nudges, please?
I’m in with the user w** and found a password hash inside an slt* db for the user a**i* and now trying to crack it with Johnny as a bcrypt Blowfish but isn’t really cracking open. Otherwise I didn’t find many interesting things. Any help? Is this pass hash a rabbithole?
I think this is a rabbit hole, but your thoughts are correct in looking for “keys”…suggest you run some linux CLI juju to find what you are looking for in an automated way. There certainly is a way to narrow down “where” you need to look.
Hmm, I am pretty stuck on messaging bit…if anyone could give me a nudge that would be awesome…
A link you posted was not valid! <— this is driving me batty! lol
Type your comment> @Gizmet said:
Hmm, I am pretty stuck on messaging bit…if anyone could give me a nudge that would be awesome…
A link you posted was not valid! <— this is driving me batty! lol
you are probably enumerating for a specific vulnerability that is not there. check the http responses for a hint and then find a page that behaves consistent to that vulnerability.
ROOTED! Fun machine, learned about a new vulnerability today!
Foothold - #@$&%&, examine the unique http responses you get back, not the top 2 web services out there…then look for a page/s consistent with that vuln to enable you to trigger it.
User - Enumeration is that name of the game; recommend you stay away from scripts; use a built-in to search through files
Root - You know that one thing you tried first but then failed at? Yea try that…then research priv esc techniques, it’s all there.
totally got there in the end with no help! my fault, missed something stupid !
root.txt
cat root.txt
whoami
root
Do the succesful exploits in the fields generate a 500 error?
@rpthomps said:
Do the succesful exploits in the fields generate a 500 error?
It depends. If you do some tests, they should work and give you clear output showing it is the right path.
Then you can be confident it should work.
Is brute forcing the login on a specific page required, or is there a more intuitive way to get access?
@luckyUser said:
Is brute forcing the login on a specific page required, or is there a more intuitive way to get access?
Have you tried creating an account?
Type your comment> @TazWake said:
@luckyUser said:
Is brute forcing the login on a specific page required, or is there a more intuitive way to get access?
Have you tried creating an account?
Funny enough, I did right after posting that question. I need to get out of the habit of assuming registration doesn’t work on these boxes. Thanks for your help.
This box was definetly super funny. Learned a great deal.
User was tricky but root was easy.
You can send me a message if you need a nudge.
When running linpeas I get the following “newline’ unexpected when run shell script”. Any experience with this?