dir list medium 2.3 dir 2.3 big
okay sir
saw somewhere else online where default/weak creds were able to get you into the portal, but has was there another way to get in via the i****.*** page?
UPDATE: figured it out; aka try harder.
1 Like
ROOTED!
As usual, that took me more time that it shouldāveā¦ I was especially clumsy in the root part, missed my #1 go-to vector. Probably because Iāve tried it on what feels like every single machine, but it rarely worked.
Itās a nice machine. I didnāt really learn anything new, but there are some interesting twists and I took my time to improve existing skills. Including some scripting for the user part to make my life easier.
@p3arl, bruteforcing not required, check all bugs you know about and look at one you havent still used.
Sorry, I wasnāt getting any notifications from the forums. Hit me up on discord for quicker responses: MADE#7255
I believe that i am headed down the write trackā¦ But maybe not.
I think the vulnerability exists on ie. not ix.. I am sprinting down this path now. The main reason that I have come to this conclusion is that DIRBuster found it be the only other thing returning a 200 OK.
With that said, I have attempted a massive fuzzing effort. URL params to GET, PUT, and POST as well as fuzzing PUT and POST body params. No matter what i do with the aforementioned dir 2.3 med or big lists, i still get 200 OK with a 0 size. Please someone steer me in the right direction or tell me what i am doing wrong. Below is a code snippet of part of my script so you can see what I am doing. It is not the complete code but just meant to show what I am attempting to do. It is Python.
I have also tried wfuzz and ffuf with similar resultsā¦
param = param[:-1]
param_value = args.param_value
url_encoded_param = urllib.parse.quote(param_value)
body = {
param:param_value
}
data_tuple = {
'param':param
,'param_value':param_value
,'url_encoded_param':url_encoded_param
,'orig_url':args.url
,'body':body
}
full_url = orig_url + '?' + param + '=' + url_encoded_param
queueLock.release()
logger.debug("Processing %s on %s", threadName, data_obj)
try:
get = requests.request(method='GET', url=full_url,allow_redirects=False)
get.close()
logger.debug('Repsonse: %s URL: %s', get.status_code,full_url)
post = requests.request('POST', orig_url, data=body,allow_redirects=False)
post.close()
logger.debug('Repsonse: %s URL: %s', post.status_code,full_url)
put = requests.request('PUT', orig_url, data=body,allow_redirects=False)
put.close()
post_full = requests.request('POST', full_url, data=body,allow_redirects=False)
post_full.close()
logger.debug('Repsonse: %s URL: %s', post_full.status_code,full_url)
put_full = requests.request('PUT', full_url, data=body,allow_redirects=False)
put_full.close()
logger.debug('Repsonse: %s URL: %s', put_full.status_code,full_url)
checker = [
put.status_code
,get.status_code
,post.status_code
,put_full.status_code
,post_full.status_code
]
if not set([200]).issuperset(checker):
logger.info('Repsonse: %s Method: Get URL: %s', get.status_code,full_url)
logger.info('Repsonse: %s Method: POST URL: %s', post.status_code,orig_url)
logger.info('Repsonse: %s Method: PUT URL: %s', put.status_code,orig_url)
logger.info('Repsonse: %s Method: POST URL: %s', post_full.status_code,full_url)
logger.info('Repsonse: %s Method: PUT URL: %s', put_full.status_code,full_url)
except Exception as e:
logger.error('Error Occured: %s URL: %s',e,full_url)
Ugh, my foothold/user solution was uuuuuuugly but it got the job done, and the third act mechanism made up for it. I scripted a few things because why not, and just sat back and waited for the loot to roll in. Piles of fun.
Really nice machine !
Learned to read .php source-code better, I really made to much effort to something simple.
Rooting was fun, too.
Rooted.
For user
I had some hints reading this discussion page.
I lost some time trying wordlists (got a little bit frustrated, takes timeā¦) but finally had something.
You should work with multiple wordlists. Once you get there, youāll have to dig for the right role and exploit.
For root
You should look at the processes and read the documentation nicely.
MP for hints.
Rooted! Let me know if you need some help with the machine 
1 Like
Really lovely box, thank you
root:$6$94dEOā¦
- Foothold: there are hints for that in this topic, so check them out if you stuck, try figuring out how to get the php source and how you can invoke your access, donāt forget how this machine called
(btw I couldnāt make a reverse shell but could make command exec and it was enough)
Bruteforcing is not necessary there is an easier way - User: check the past
- Root: I tried the classic method and 2 different ones, I might have been succeed with the last one but we cannot reboot these boxes. Finally I figured out an elegant way which I have never seen before and circumvented the limitations. (Itās nothing extraordinary and believe it is the intended way to solve this machine I just never seen before exactly this way)
I need a bump to get a foothold so I found the interesting page using gobuster, I think I also found the parameter for that page that gets a valid response but Iām unable to move further. Any help would be appreciated
Ops, I figured out my next step. I overlooked a simple vulnerability. Ugh!
This was a great box. Really fun to get foothold, user wasnāt tedious, root was clever. Feel free to PM if you need a nudge.
Iām sorry if this is a spoiler but I have to ask.
As usual with box where you have to deal with time, it either works or it doesnāt just because some evil entity desires so.
How do you account for the time gap ?
I spent the last two hours trying to work around it. I managed ONCE to get code execution, but have been unable to reproduce it since then.
The path until that point was really fun, but Iām really having headaches right now.
Edit : Ok, it finally worked, Iām not sure why but, heyā¦
If you can, try resetting the box before you try root. Then clean up your tracks when youāre done getting the flag.
Very nice box! DM me if you need an hint! 
Hey folks, please donāt forget to clean the machine after rooting.
It is pretty annoying to discover that someone has rooted, and the leftovers block you from pwning the box.
Hello all !
Sorry if this is a spoiler but how did you managed to deal with time issue when looking for your file ? I think I did all the steps correctly but I canāt reach my file.
I tried to match the timezone of the machine but it seems that Iām unauthorizedā¦