Spoiler Removed
Type your comment> @jindom said:
got the decrypted conf file, changed something in my local box, but still not be able to find the login page in that http port, any help?
Use the bridge. That eight arms dude is your friend.
Also stuck at the login page. Combing through the config files again but my first pass only found 1 password that doesn’t seem to be used.
Stuck on login page.
HELP needed!! found some files but they are encrypted. cannot see how to access.
Got into mgr and enumerated more hosts, one seems acting different than the others. Still wondering if the cve for s**id is a rabbit hole or not? Found a poc but haven’t get it to work yet.
Type your comment> @axxer said:
so i’m on a web page but i don’t have any creds except the one password we used to get info about this page. Any nudges will be appreciated.
Same here. This is my first Hard Machine :neutral:
It was an iteresting expirience, learnt a lot on this box.
Got user :neutral:
Hint: don’t get stuck on rabbit holes like i did. If you tried everything that you can, take a step back and think about what you are doing. How is the architecture designed? How does it work? How does that compare to what you have?
Research every piece of info that you get, especially from the locations that everyone is mentioning here. There is a way in.
User is the only hard part in this box.
For root just read what you have and find exploit, there is MSF available for this.
Amazing box!!!
User was tough - lots of enumeration . i got stuck at some little things .Thanks @Caracal
LOL i hit enter before i finished…
Thanks also @lmakonem .
Root was easier .Just google when you find it
Found the suspicious one but it’s hard to find an exploitable vuln with such a small surface…will continue tomorrow
Challenging box. As is often the case, lots of enumeration is needed.
I had to install some new tooling to read the things I recovered but after that, it flows a bit more naturally. You have a lot of information but if you focus on things which relate to your enumeration, you can minimise the data overload.
Remember the mantra "dump creds, crack creds, use creds " - if you ever find creds, use them.
From there you can find a clue by what is missing. Probe for it and see what happens.
After that you find a fairly traditional attack. It just takes forever to complete to get to user.
Privesc is potentially easy but you absolutely need to fully understand (and modify) the attack you are using.
Rooted !!!
Thanks for all help and hints.
If someone could nudge me in the right direction on how to access that manager, I’d be very thankful. Already found the unsafe rule but stuck with a deny. Also tried using that tool
Edit: Figured out where I was going wrong thanks to @amplex !
Finally rooted!
Thanks for the box @polarbearer & @GibParadox.
If anyone need a help, contact me
Nice! I got stuck in a couple of places during foothold but managed to trust my instinct and persevere. As mentioned before, each piece of information is important to get to the next step. Follow the paper trail. Pay attention to what is NOT there.
If you need a nudge, let me know.
Happy Hacking!
Rooted!
Thanks to @bdadoo for the nudge. PM if you need a nudge.