Rabbit

The machine has quite a few “rabbit holes”. I have enumerated the machine quite heavily and have found several things that would like me to log in, but I haven’t been able to guess or find any sort of credentials to any of them.

Based on their versions, none of these “holes” seems to be suspectible to direct exploits without authentication.

I’m beginning to think that perhaps I’m missing something crucial here, but I have no idea what it might be. I would greatly appreciate if someone could give me some guidance towards the initial step. Should I continue dirbustering to find some credentials or should I try harder to bruteforce the login?

(I don’t want to list all the things I have found as that would count as a spoiler)

The best thing I can say, to you without spoiling it for you would be to enumerate everything that is a web server :slight_smile: I hope this doesn’t spoil anything

better use gobuster, i avoid dirbuster

@peek said:
better use gobuster, i avoid dirbuster

agreed :slight_smile:

Who you gonna call? Gobusters! Here’s some gobustering in case someone else has difficulties on this machine or some other machine: gobuster enumerator for hack-the-box machines. This generates huge amount of useless requests.. · GitHub

(Most likely I made some mistake earlier when I did this manually.)

(Script mentions directory SecLists, which is something I added to Kali from GitHub. Contains additional wordlists and other useful lists for pentest purposes.)

@Malkinowns71 said:
The best thing I can say, to you without spoiling it for you would be to enumerate everything that is a web server :slight_smile: I hope this doesn’t spoil anything

There is indeed something vulnerable. I can even logon, but do not have enough privileges to exploit. Hmmm …

i managed to get 3 working user credentials, i have tried various techniques :frowning: but failed to go any further, could someone give me a hint to proceed further

So I think found what I need to find from 'bustering. Now I have two different account hashes that should be useful but haven’t been able to crack. They are both different hash types as well. I also have about 10 other accounts with an easier to crack hash and managed to crack three of them, but can’t figure out where they accounts work. I still don’t have any type of shell or RCE, so maybe they can be used later. Should I keep trying to crack these or did I miss something important?

Thanks for the gobuster comments, didn’t know it existed but it’s quite nice compared to the alternatives.

@excidium we are on the same boat :tired_face:
could someone give a hint to proceed …

The two more difficult hashes might be uncrackable. The 10 easier ones should be useful, or at least some of them are useful.

I’m struggling with a certain payload I have in my hands. My payload is in a way “accepted” by a certain system and looks actually very similar to other payloads I have acccidentally seen there, but for some reason it doesn’t have any effect. So maybe it’s not executed or maybe I have missed something about this.

Very humiliating experience this has been so far to me :cold_sweat:

@lokori said:
Who you gonna call? Gobusters! Here’s some gobustering in case someone else has difficulties on this machine or some other machine: gobuster enumerator for hack-the-box machines. This generates huge amount of useless requests.. · GitHub

About to start enumerating this machine and after I saw your post decided to modify your script so works in any GNU/Linux, I am personally using blackarch as my main desktop so the path to the files is diff such why the variables and array.
https://gist.github.com/ReK2Fernandez/fe49a07d096aff95c17572d9ea170ab1

Since that post I have also added -l option to Dirbuster so that I get the length of server response in addition to HTTP status. Sometimes the length makes all the difference to find the interesting one compared to “normal”.

so far I found something interesting among all the rabbits and fake vulns :slight_smile: not sure if is the right thing yet but was able to create a certain account and then modify certain things to change privileges. will continue tomorrow need to work in a couple hours. cheers. @lokori yeah the one I usually use have a couple more options as well.

Any nudge towards priv esc ?

There is access to the correct interface (I guess), there is even a clue given, what to do next. There are even exploits (I tried two so far) which should potentially work and … nothing, no shell so far. What am I doing wrong?

Yeah been poking around this box and found a few rabbit holes. Is someone around to help steer me in the right direction? Been enumerating and testing for vulns for several days. Not sure what is left to test.

so far i found 3 apps (o, j, c) . Atm it looks like all of them are rabbit holes. Is one of them the door in or do I need to do more enumeration. PM appreciated, thanks.

I have access to two of them (probably even to all, did not check yet everything) a number of hashes and … still trying figure out where is the way to getting the user. Really iritating.

@gash said:
so far i found 3 apps (o, j, c) . Atm it looks like all of them are rabbit holes. Is one of them the door in or do I need to do more enumeration. PM appreciated, thanks.

Maybe one of them is the door maybe or not. Just try to exploit every single endpoint you detected. If you do not do, you will never know it is the door or not. Try Harder !!

@macw141 said:
I have access to two of them (probably even to all, did not check yet everything) a number of hashes and … still trying figure out where is the way to getting the user. Really iritating.

Read carefully every piece of information you had during attack the box. After you realize what you need to do, try make it work on your own system.