Official Passage Discussion

SanderZ31 · September 6, 2020, 1:46pm

Root!

gunroot · September 6, 2020, 1:46pm

Type your comment> @0xstain said:

do i must crack the hash for get user?

Hashcat may work with correct module mentioning.

smashsec · September 6, 2020, 1:52pm

Rooted! Nice to have an easier box this week - thanks to @ChefByzen.

DeSun · September 6, 2020, 2:04pm

Rooted in the end after stepping over the clue a few times. Thanks @gs4l for the nudge. It’s a nice box @ChefByzen

maskop9 · September 6, 2020, 2:51pm

Initial foothold : Google
User1 : Look around
User2 : Look around
root : Corona time, catch a bus and get back home; don;t come out #staysafe

6h4ack · September 6, 2020, 3:10pm

Rooted
If anyone need a hint, PM

0ri · September 6, 2020, 4:54pm

got the hash from co**.php but can’t crack it . Any nudges?

tang0 · September 6, 2020, 5:13pm

Type your comment> @maskop9 said:

Initial foothold : Google
User1 : Look around
User2 : Look around
root : Corona time, catch a bus and get back home; don;t come out #staysafe

Rooted, thanks to this comment.

Certainly on the easier side of medium boxes. The best part is that all the steps are quite logical with no guess work involved. Props to the creator @ChefByzen for that.

All the hints have already been given in this thread. But if you still need a nudge, feel free to pm.

CarbonDPG · September 6, 2020, 5:14pm

Type your comment> @sparkla said:

@CarbonDPG said:
I’m not the owner of the box (obviously), but F2B can be configured to detect (and ban) directory brute forcing.

Thanks for clarifying. Didn’t know that. How does it work? F2B works with “Jails” when banning failed logins, I never looked under the hood how it’s actually doing this.

Fundamentally, F2B is just a log parser. Create a new definition and scan for specific regex in the apache logs. Github link below to detect weblogins for example. Though in this case, you’re not scanning for POST requests in /login, you’re scanning for excessive POST or GET requests to any page. Add the new definition to the jail config, restart the F2B service and bob’s you uncle.

gist.github.com

https://gist.github.com/joecampo/848178ab5c18aada0eab

fail2ban.md

If you're not familiar: What is **fail2ban**? [fail2ban](http://www.fail2ban.org/) is an ***awesome*** linux service/monitor that scans log files (e.g. auth.log for SSH) for potentially malicious behavior. Once fail2ban is tripped it will ban users for a specified duration by adding rules to Iptables. If you're unfamiliar with fail2ban [Chris Fidao](https://twitter.com/fideloper) has a wonderful (& free!) series about security including setting up fail2ban [here](https://serversforhackers.com/series/security).

Recently [Laravel](http://laravel.com/) released a new feature in 5.1 to [throttle authentication](http://laravel.com/docs/5.1/authentication#authentication-throttling) attempts by simply adding a trait to your authentication controller. The Laravel throttle trait uses the inputted username, and IP address to throttle attempts. I love seeing this added to a framework out of the box, but what about some of our other apps not built on Laravel? Like a WordPress login? Or even an open API etc.? Ultimately, we’re trying to simply eliminate those that are abusing a HTTP/HTTPS route, or some other service, (in this example, brute forcing into a login). We're not trying to ban user John who simply can’t remember his password. Instead of/or in addition to adding code to the appliation layer to handle this logic to keep out major brute force/abuse attempts, we can leverage fail2ban to create custom filters for specific routes in our Apache/Nginx access log to ban those IP addresses from the server at the Iptables level. For this example & setup, I will be using Ubuntu & Apache.

If you don’t have fail2ban installed already, you can install it quickly using aptitude:

``sudo apt-get install -y fail2ban``

You can check to see if fail2ban is running:

This file has been truncated. show original

gistlog.yml

published: true

Alternatively, tear apart Chef’s F2B config files once you’ve pwned the box. Found out how he’s implemented it himself, the more you know!

CarbonDPG · September 6, 2020, 5:19pm

@LegendHacker said:
got the hash from co**.php but can’t crack it . Any nudges?

Wrong file, right area but search deeper.

SanderZ31 · September 6, 2020, 5:36pm

Spoiler Removed

5n4k3 · September 6, 2020, 5:45pm

Initial foothold can be done without MSF . FYI

m1r3x · September 6, 2020, 5:59pm

Type your comment> @solid5n4k3 said:

Initial foothold can be done without MSF . FYI

I couldn’t make the module work so did it manual way.

HunterS64 · September 6, 2020, 6:06pm

Spoiler Removed

extincted · September 6, 2020, 7:48pm

Spoiler Removed

Code0x13 · September 6, 2020, 9:06pm

This was a really nice machine @ChefByzen thanks for your efforts! Feel free to get in touch if you’re stuck, I’ll try and nudge if you let me know what you’ve tried!

exord26 · September 6, 2020, 9:11pm

got user 2 but stuck now ! found ib… but what i need do ?

Chobin73 · September 6, 2020, 9:36pm

nice machine.
foothold is pure fun. I wasted A LOT of time getting a grip on it only because of my dumb reluctance to consider uppoer and lower case…But once you get it, it’s a snap.
User1: you are a few slashes from the goldmine.
User2: Yes, it is that easy!
Root: i admit i just took the lazy way to get the flag. but once you are able to do that, getting a root shell is trivial…

ecodb · September 6, 2020, 9:48pm

Rooted. Very nice machine.
IMHO in some points it is more “easy” than “medium”.
PM me if you need hints.
@ChefByzen: thanks for this box

Raekh · September 6, 2020, 10:08pm

Got second user, I’m pretty sure I’m home where I need to be. I’m having trouble with my keys and my rings. Solved a problem by including a dash and a cross, but now I just get no answer. How can I “display” what I want ? How do I catch the bus ?