Redcross

first blood user…

any list i use for sub******s its just not working TT with wfuzz

gobuster?

Finally got user.
Now on the root!

@xsmile said:
Found three pages with logins but no credentials.

i have found 4 login functionalities. but cant access any of them for now

@w31rd0 said:

@xsmile said:
Found three pages with logins but no credentials.

i have found 4 login functionalities. but cant access any of them for now

Have you managed to get passed this? All I have left is a brute force but @s1gh said that isn’t a thing…

Okay, for those of you requiring a starting point begin to enumerate /do.../ using directory-list-lowercase-2.3-small.txt with the most common portable document format extension. The login credentials can be guessed anyways so use this as your last resort.

Report this as spoiler if you think I said too much.

@numbfrank said:

@w31rd0 said:

@xsmile said:
Found three pages with logins but no credentials.

i have found 4 login functionalities. but cant access any of them for now

Have you managed to get passed this? All I have left is a brute force but @s1gh said that isn’t a thing…

yeah i got passed it.
so for starters guessing may be helpful. trying “default” and common “accounts”.

@fjv said:
Okay, for those of you requiring a starting point begin to enumerate /do.../ using directory-list-lowercase-2.3-small.txt with the most common portable document format extension. The login credentials can be guessed anyways so use this as your last resort.

Report this as spoiler if you think I said too much.

Great hint @fjv

Rooted. Feel free to PM me for hints.

This #GuessTheBox CTF stuff is out of control. :confused:

I’ve found several accounts via S**-In***** … It’s using a certain hash type I can’t decrypt. It’s really needed to decrypt?

@dennisveninga said:
I’ve found several accounts via S**-In***** … It’s using a certain hash type I can’t decrypt. It’s really needed to decrypt?

AFAIK no need. The password for one of the account is trivial. The s* coo* can be used on another vh*

I’m not a big fan of these “hidden files in web directories” boxes. It’s ultimately brute force. You send tens of thousands random requests resulting in 404’s would easily be blocked.

Maybe it’s real-world realistic, but to me it’s a lame initial foothold.

@snowman418 said:
I’m not a big fan of these “hidden files in web directories” boxes. It’s ultimately brute force. You send tens of thousands random requests resulting in 404’s would easily be blocked.

Maybe it’s real-world realistic, but to me it’s a lame initial foothold.

I tend to agree with you, but this box isn’t that bad. All you have to do is run the normal dirbuster list recursively and you should find what you need (although I would recommend searching for common filetypes if you run out of other options).

@snowman418 said:
I’m not a big fan of these “hidden files in web directories” boxes. It’s ultimately brute force. You send tens of thousands random requests resulting in 404’s would easily be blocked.

Maybe it’s real-world realistic, but to me it’s a lame initial foothold.

Don’t really need to find any hidden files to get an initial foothold though.

Anyone who rooted able to PM me; I’m not sure my route was the intended way?

@TMFS24 said:
Anyone who rooted able to PM me; I’m not sure my route was the intended way?

not sure mine was either.

I have a question regarding user. Someone pm me pls. I dont want to spoiler others.

So here is my review after wrapping up this box. Starting off the box was a little bit of average for my taste, you have to guess the first Credentials in order to get a login which costed me a heavy amount of time doing initial foothold, at the next step you were forwarded with doing some work into dumping credentials to reach a point were you could know what is the type that you have to exploit. Exploiting is not that hard now going for the the RCE and the stuff. It’s pretty straight forward keeping up on how you add your user and whitelist your IP to access the box ( Yes they are indeed spoils so keep your eyes off if you don’t want to be spoiled but hey you are on forum so i take that back). After taking atlast the RCE and dealt with the user you have to deal with a ret2libc + ASLR exploitation; Duh come on mate, that box is not suppose to be undergo as a 30 pts box with that method. Later on that i discovered another method which i used it to gain root access.

@Frey said:
So here is my review after wrapping up this box. Starting off the box was a little bit of average for my taste, you have to guess the first Credentials in order to get a login which costed me a heavy amount of time doing initial foothold, at the next step you were forwarded with doing some work into dumping credentials to reach a point were you could know what is the type that you have to exploit. Exploiting is not that hard now going for the the RCE and the stuff. It’s pretty straight forward keeping up on how you add your user and whitelist your IP to access the box ( Yes they are indeed spoils so keep your eyes off if you don’t want to be spoiled but hey you are on forum so i take that back). After taking atlast the RCE and dealt with the user you have to deal with a ret2libc + ASLR exploitation; Duh come on mate, that box is not suppose to be undergo as a 30 pts box with that method. Later on that i discovered another method which i used it to gain root access.

there is a second method to obtain user, easier than the one you are mentioning