Official MonitorsThree Discussion

There’s a ffuf flag to output debug errors to a log file so you can troubleshoot. I think it’s -debug-log /path/to/file. It’s helped me on a number of occasions.

any hint for the first auth?

I have tried for foothold. I have used FFUF and found a Desert plant. I have used Doras favourite tool and found ***_user but not getting any hashes or creds to use. can I get a hint please?

I have used ffuf and found all the .php files. Can someone give me a hint on where to go next? Thank you.

You can DM me for some nudges if you wish. I think there is some decent hints in the thread already to get you where you need to be and what needs to be done already for foothold, but i can be more direct if you wish.
@badre619
@lordsoahc
@rdy2hunt

hey @Ashishgupta, even I got the root easily with user level access but still I tried to escalate my privileges, I was able to pivot and gain access to the internal server but after that I am stuck, if you know anything please help

So you have access to web panel of duplicati? Can you login to it? It is a backup software which is running as root. You can simply do a backup of /root for root flag or run a script using it.

1 Like

Rooted :)
Is there any way to get a shell as root? I couldn’t crack the shadow file.
image

I think that I found the c**.*** you are mentioning but not sure how to abuse it. Tried to blindly inject c** on this very page using common params and various verbs but I don’t seem to get anything from the machine (did not go far on escaping and enumeration though). Is this the way or am I charging windmills?

You need to find another page that you can perform SQ******ction on to dump some creds so you can login to that subdomain.

1 Like

Hello, does anyone have a little hint for the root part? :sleepy:

Lost a lot of time trying to generate a pair of keys while the approach was way more straight forward. I forgot obvious way to expose local resources. Not sure how NLTE got the user in 12 minutes (is there a way for the user different than the one for root?) Thanks for your help, @ FroggieDrinks

SUPER SLOW
Do it manually

well, i guess i buy some food while sqlmap is running

Root was so simple actually, but i was overthinking for 2 days

Tip for Root Privesc because I was a silly goober and wasted 20 minutes:

If you decide to use online encoding, they may auto-delimit Hexadecimal with spaces.

 

Don’t. :,)