If you are using firefox, go try on chrome. It worked for me on chrome. Firefox for some reason, gave me quite a rage!!!
i need help with nonce thing, trying for few hours and each time unauthorized !!! is the machine bugged or what
EDIT: i am an idiot !
I got a question, I was able to found the c*** subdomain because of a nudge, but I wanted to know how you guys found it, Itās impossible to bruteforce it since we need to enter this domain before in the /etc/hosts file right ? so how can you enum on this ?
Thanks
Is the created account for permissions suppose to hit a denied permission page when attempting to login into the new account?
Nevermind found a different CVE that bypassed that step.
can someone help where are default creds
Itās all about enumeration, if you canāt find something on your initial search you got to dig deeper.
yes i have too
Iām sorry i cant seem to find the right listā¦ iām using rockyou
ā¦
for what ?
I followed a related Medium article to bypass duplicati, but I still get an Unauthorized error. Iām not sure what I did wrong.
Thanks gobuster solved my problem
I cannot find the right m***** key to log in to the machine. I grep it and I found one in pki folder, but it didnāt work. Any hint?
Anyone else think root was a bit complex or was it just me ?
Hi, can you help me, please?
Same here. Curious to know if anyone got a shell?
Hey Everyone!
Iām at the point where I have user.txt and Iām trying to login into the Duplicati server. I am trying to change nonce sessions but itās not working and Iām unsure what to do. If anyone could give me a nudge that would be great.
Thankyou!
Lots of hints here already, but in case someone is still stuck:
Foothold: basic enumeration, look for (all) places where you can input data. When you find something you can exploit, donāt go directly for automation tools. Instead, try to figure out how to input is being handled by the server. You may be blind, but you donāt need to wait for any answers. After figuring out the vulnerability, go for the automation tool and youāll have valuable data in just a few minutes. Next, all you have to do is use the retrieved data, combine with the information gathered in the first steps, and do some research about known vulnerabilities.
User: everything you need can be found right where you will land after initial acces. Just stick to basic enumeration, and youāll get access to sensitive application data.
Root: pretty simple. Check out the services running on the machine and look for unusual data sitting on unusual directories. Some basic searching/googling will help you get access to the application. After that, donāt forget a file that you have probably seem before and that describes how the application you accessed should be deployed. This should help you find where the real data that you need to āextractā is stored.
Hope this helps!