Wall

Got root. box is very slow in free servers
user way is a strange. root way (easy) (www-data->root) match with one machine from OSCP lab.
PM for hints

any hints on how to upgrade from www to root?

I popped the box. R00T baby!

This was a great box, no complaints, I learned things. Thank you!

Type your comment> @hiwire said:

This was a great box, no complaints, I learned things. Thank you!

some clue

I have creds for the service, but need help getting the exploit to work. I’ve tried formatting it in different ways/using different commands with no luck. Please PM for some direction.

How ya’ll getting creds for c*****? Trying to run hydra at it but might not have a great grasp on the syntax

@0x6a666c6a72 said:
I have creds for the service, but need help getting the exploit to work. I’ve tried formatting it in different ways/using different commands with no luck. Please PM for some direction.

Same here, if anyone could point me to the right direction it would be greatly appreciated :smile:

@saminskip said:
How ya’ll getting creds for c*****? Trying to run hydra at it but might not have a great grasp on the syntax

Execute hydra -U <protocol> if you want to get a quick understanding of the syntax. It includes some examples that could inspire you.

I suppose I’m weak on the final “Login Failed” portion ect. How best to work out the syntax to let hydra know it has a failed login.

Rooted the box.

What worked for me:

  • Using the API for brute-forcing the password. If you know anything about web apps vs. REST APIs you know why.
  • Using the API for exploiting the vulnerability. I couldn’t get the payload to work using the known exploit. After some frustration, I wrote my own script that took my remote command as an input, and allowed me to execute the exploit using the API. Worked right away! After completing the box I think I know why the REST API was a better path.
  • I went wd → root. Basic enumeration showed something that could easily be exploited for priv esc.

DM if you need a nudge.

after reading the forum and a message, i also wrote a brute-forcer in bash with api for the fun., but from exploit, you can also do the same in python

this challenge is the pits

i recently noticed that i hate hacking
im pretty sure it’s just become a self-harm ritual at this point

i do not understand the low rating, i had lots of fun with this box, pretty fast done everything taken into consideration.

:slight_smile: thanks @askar

Type your comment> @Ketil said:

i do not understand the low rating, i had lots of fun with this box, pretty fast done everything taken into consideration.

:slight_smile: thanks @askar

I 100% agree! This box was a lot of fun. It threw in some frustration and forced you to kinda think of ways to get around stock presets. I love it when curve balls get thrown. Not saying it was a hard box, but it had a great balance of challenge without being so time consuming. I liked it. Thank you.

Can someone explain @argot 's teacher hint a little more detailed? I dont get it

Any hint on the “verbs” hint? I’m not a native english… I’m at the point of “bad credentials” reply from API except one cred that results in a 403. Not sure i’m on the right path.

after we found the pages, is it LFI or SQL inj method, tried bruteforce with top verbs collections but after 4hrs it got failed, can any share some more hints about Argot theory pls

Type your comment> @suretshi said:

Init HINT for dumb people like me who can’t find с*******:

  1. First you need to find m*********
  2. to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.

After that, pay all attention to the found m*********, but, as already said, you do not need brute force!

  1. Then the question arises: what can be done other than brute-forcing?
  2. Here you need a hint about the teacher and verbs.
  3. however, this was not enough for me: note that sometimes a slash can be crucial
  4. after that you should look at what the server told you.
    I hope I haven’t suggested too much?

@suretshi Can you DM me? Or can anyone? I figured out the “verb” I was supposed to use, but I am very much a noob at web stuff and don’t really know what to do with the information I received. Thank you in advance!

rooted

so i have made a python script to bruteforce the API, it rocks, but it is taking ages…