Wall

Rooted, didn’t enjoy the box I’m sorry to the creator. These hints I wished I knew when I was doing the box. from w******a to root

Enum Hints:

  1. There is a hidden directory that dirb cannot find with normal wordlists… OSINT is the key

  2. [this is an issue that I had personally] the known way to do this box did not work for me, I had to find an alternative way for RCE… more enumeration will get you what you exactly want

Root Hint : enumerate for un-patched software

PM if you need help with the box and star my profile if this helped!

Guys, I have got the www-xxxx@Wall:/usr/local/cxxxxn/www$ shell. Lost completely here, could anyone please help guide me by PM - thank you in advance. +respect :slight_smile:

now on wwwdata to get further. Was stuck for ages on the pwd part with my scripts. in the end, check your variables you use for your attempts.
echo / print is key to validate all good :wink:
I had errors in bash and in python. once those where fixed, few seconds…
thanks for the hints! will proceed

This box is not well designed. There is a regular user, actually I saw once in the process list that someone logged in as that user, but brute forcing the password with simple lists leads nowhere. So I could read the user flag only when I rooted the box. Apparently it is easier to get root than to get user.

Yet, I liked the challenge of getting a first shell, although I still don’t get why the some ways fail and others don’t; of course, at some point you can easily see how others tried it - I wonder whether they succeeded. I also liked the priv esc for root - it’s not at all subtle or cunning (a very basic enumeration gives you the evidence for what’s wrong here) but you need to get all details right; took me a few experiments and lost shells to figure out how that works.

Finally rooted from ww*** to root…

Type your comment> @roelvb said:

Hi guys, is there someone who can tell me how I can get the credentials for C******** ?
I already used Hydra for bruteforcing, I tried bypassing, I tried the default credentials of the service.

I’m stuck here for a while.

Edit: I have found the password manually!

I have looked everywhere for credentials. I don’t want to brute force since most say it’s not needed. Can you throw me a hint or DM?

Type your comment> @suretshi said:

Init HINT for dumb people like me who can’t find с*******:

  1. First you need to find m*********
  2. to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.

After that, pay all attention to the found m*********, but, as already said, you do not need brute force!

  1. Then the question arises: what can be done other than brute-forcing?
  2. Here you need a hint about the teacher and verbs.
  3. however, this was not enough for me: note that sometimes a slash can be crucial
  4. after that you should look at what the server told you.
    I hope I haven’t suggested too much?

Thanks. I needed this.

Rooted,
I have to say very good box, never had to try VARS while doing initial recon and I’ve learn new trick, with the access and then exploit again if you do your research correctly, understand whats running on the server and how two trigger RCE it’s downhill from there. Very much a real-life pen testing skills, recon and understanding of the platform is the key. Very well down to the author.

I’m stuck on trying to bruteforce c******* creds, I’ve tried to ROCK a modified CVE Script, but I’m having no success.

Could someone send me a DM?

Rooted. I enjoyed only the user part, since the root part (www-data → root) was trivial.

Hint for User: When you hit the Wall, the internal field separator may come in handy.

rooted, I learnt a lot

Rooted
Nice box, enjoyed it
DM if you are stuck

Got root from www-data, with an exploit that was used in an other HTB box a few months ago. All in all, had some fun and learned some stuff with this one, so, thanks @askar ! :slight_smile:

Can I DM anyone about the www-data > user path ? Thought it was SQL related at first, but it turns out someone just left that open while popping the box. Can’t really see anything, now, would love to know !

Type your comment> @ml19 said:

now on wwwdata to get further. Was stuck for ages on the pwd part with my scripts. in…

Thanks, will do :slight_smile:

Got root before user as well, through w**-**** initially… Not sure how someone would go through the user first… If anyone has a clue.

Does the “Verb” hint have to do with a cred or a directory?

Type your comment> @0rbit4L said:

Does the “Verb” hint have to do with a cred or a directory?

Think about protocols here.

Can someone please PM me with a hint on how to get the creds for c******?

FINALLY rooted. Thank you so much to @cdf123 , @menessim , and @rowra for all your help!!!

Finally rooted, after 3 frustrating days…
My hints:

USER: everything is said already in the forums about the bad characters. Pay attention to escape things you do not need or just give them what they want. Also the script is not ending after it sets the payload :wink:

ROOT: I too went from www → root it sticks out

Thanks to @redshift and @greenpanda999 for saving me from insanity :neutral: