Get user was hard, but root is obtained straight from www-data.

-Tips for user:

  1. Enumeration is your best friend
  2. API is always a gold pot. You must use it.
  3. Now, you need to prepare yourself against a long battle with command-injection! Try to find escape characters.

-Tips for root:

  1. Look at your privesc-enumeration. It is there!

In particular, I got root from www.

Is there another way?

PM for nudges!

Good luck!

@ptavares That long battle, do you have any hints besides escape characters? I played with figuring what it didn’t like, but still no dice. Can’t seem to get a reverse shell.

i manage to find that page c***** people were mentioning but trying to figure out the credentials? is there any way other the bruteforce or do i need to poke around? if anybody can DM with a tip i will appreciate it

Well, I am currently learning in this field, it is I help to learn many things and I hope that in my future machines I will also do it. In my opinion of noob the machine has or is very complete for people who are starting (like me) so very good machine to learn. Hints:

  1. Enumeration
  2. Enumeration
  3. CVE
  4. Enumeration
  5. CVE

Thanks to all the people who helped me!

Rooted !

Honestly user part was nice after all but root was totally not challenging :/.

PM me if needed :slight_smile:

Rooted :mrgreen:

Went down a rabbit hole so the Initial shell was easier for me than root.

HInt for root: make sure you check version info during enumeration.

Managed to “bruteforce” login creds for /c******** but now I’m struggling with 403 Forbidden.

I’ve figured out “what” is triggering 403 but I have no idea how to bypass it.
Can anyone give me a nudge?

I am also struggling to get the credentials for the /c******* . I tried with many different ways such as try to guess, default credentials, bruteforcing with different wordlists and common usernames, and also I wrote a python script in order to bypass the CSRF protection, if this was the problem but with no luck either… There is a password that no matter the username, gives you a different response (403) but isn’t helpful because you can’t use-access the required url’s for the public exploit… I really don’t know what else should I do…

Could anyone help me with brute-forcing? I am working with Wfuzz at the moment, but I haven’t got a lot of flops with me and it’s taking it’s time.

rooted over a day or so! hmu for hints/help/musings! kinda liked this box to be honest.

i found the authentication required but i stack there help me hint ple

I haven’t found /c*******. I’ve used dirb and dirbuster. Dirbuster keeps giving me errors, pauses itself or has a 8hour wait time. Dirb doesn’t find it. Very first box, still have a lot to learn.

Finally rooted, If anyone needs any help ping me.

Anyone able to hint me how to get anything to test the C…/i…php file. Getting headaches trying to deal with tokens to attempt to logon…

Almost thinking of resorting to guessing and typing passwords in…

Finally rooted.

Thanks for people who helped for this box.
Path to w**-***a > root was way easier than anything else.

If needed ping for nudge!

can anybody give me a hint on what to modify on my script . i got the cred but i cannot trigger the listener…

I’m Have w**** shell but I need advice for root :confused:

I found c******* login page but i’m unable to get the login credentials with hydra a little nudge would be appreciated

Someone could help me please? I know the cre for c******* and I found the exploit but it is not working! It says run succerssfully but I do not get a shell…someone could please help me out?

Thanks @Thr0yr for the nudge. I was down a rabbit hole! :slight_smile: