Official MonitorsThree Discussion

If you are using firefox, go try on chrome. It worked for me on chrome. Firefox for some reason, gave me quite a rage!!!

i need help with nonce thing, trying for few hours and each time unauthorized !!! is the machine bugged or what
EDIT: i am an idiot !

I got a question, I was able to found the c*** subdomain because of a nudge, but I wanted to know how you guys found it, Itā€™s impossible to bruteforce it since we need to enter this domain before in the /etc/hosts file right ? so how can you enum on this ?

Thanks

Is the created account for permissions suppose to hit a denied permission page when attempting to login into the new account?

Nevermind found a different CVE that bypassed that step.

can someone help where are default creds :smiling_face_with_tear: :smiling_face_with_tear: :smiling_face_with_tear:

Itā€™s all about enumeration, if you canā€™t find something on your initial search you got to dig deeper.

yes i have too

Iā€™m sorry i cant seem to find the right listā€¦ iā€™m using rockyou
ā€¦

for what ?

I followed a related Medium article to bypass duplicati, but I still get an Unauthorized error. Iā€™m not sure what I did wrong.

Thanks gobuster solved my problem :slight_smile:

I cannot find the right m***** key to log in to the machine. I grep it and I found one in pki folder, but it didnā€™t work. Any hint?

Anyone else think root was a bit complex or was it just me ?

1 Like

Hi, can you help me, please?

Same here. Curious to know if anyone got a shell?

Hey Everyone!
Iā€™m at the point where I have user.txt and Iā€™m trying to login into the Duplicati server. I am trying to change nonce sessions but itā€™s not working and Iā€™m unsure what to do. If anyone could give me a nudge that would be great.
Thankyou!

Lots of hints here already, but in case someone is still stuck:

Foothold: basic enumeration, look for (all) places where you can input data. When you find something you can exploit, donā€™t go directly for automation tools. Instead, try to figure out how to input is being handled by the server. You may be blind, but you donā€™t need to wait for any answers. After figuring out the vulnerability, go for the automation tool and youā€™ll have valuable data in just a few minutes. Next, all you have to do is use the retrieved data, combine with the information gathered in the first steps, and do some research about known vulnerabilities.

User: everything you need can be found right where you will land after initial acces. Just stick to basic enumeration, and youā€™ll get access to sensitive application data.

Root: pretty simple. Check out the services running on the machine and look for unusual data sitting on unusual directories. Some basic searching/googling will help you get access to the application. After that, donā€™t forget a file that you have probably seem before and that describes how the application you accessed should be deployed. This should help you find where the real data that you need to ā€œextractā€ is stored.

Hope this helps!