Rooted, didn’t enjoy the box I’m sorry to the creator. These hints I wished I knew when I was doing the box. from w******a to root
Enum Hints:
There is a hidden directory that dirb cannot find with normal wordlists… OSINT is the key
[this is an issue that I had personally] the known way to do this box did not work for me, I had to find an alternative way for RCE… more enumeration will get you what you exactly want
Root Hint : enumerate for un-patched software
PM if you need help with the box and star my profile if this helped!
Guys, I have got the www-xxxx@Wall:/usr/local/cxxxxn/www$ shell. Lost completely here, could anyone please help guide me by PM - thank you in advance. +respect
now on wwwdata to get further. Was stuck for ages on the pwd part with my scripts. in the end, check your variables you use for your attempts.
echo / print is key to validate all good
I had errors in bash and in python. once those where fixed, few seconds…
thanks for the hints! will proceed
This box is not well designed. There is a regular user, actually I saw once in the process list that someone logged in as that user, but brute forcing the password with simple lists leads nowhere. So I could read the user flag only when I rooted the box. Apparently it is easier to get root than to get user.
Yet, I liked the challenge of getting a first shell, although I still don’t get why the some ways fail and others don’t; of course, at some point you can easily see how others tried it - I wonder whether they succeeded. I also liked the priv esc for root - it’s not at all subtle or cunning (a very basic enumeration gives you the evidence for what’s wrong here) but you need to get all details right; took me a few experiments and lost shells to figure out how that works.
Hi guys, is there someone who can tell me how I can get the credentials for C******** ?
I already used Hydra for bruteforcing, I tried bypassing, I tried the default credentials of the service.
I’m stuck here for a while.
Edit: I have found the password manually!
I have looked everywhere for credentials. I don’t want to brute force since most say it’s not needed. Can you throw me a hint or DM?
Init HINT for dumb people like me who can’t find с*******:
First you need to find m*********
to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.
After that, pay all attention to the found m*********, but, as already said, you do not need brute force!
Then the question arises: what can be done other than brute-forcing?
Here you need a hint about the teacher and verbs.
however, this was not enough for me: note that sometimes a slash can be crucial
after that you should look at what the server told you.
I hope I haven’t suggested too much?
Rooted,
I have to say very good box, never had to try VARS while doing initial recon and I’ve learn new trick, with the access and then exploit again if you do your research correctly, understand whats running on the server and how two trigger RCE it’s downhill from there. Very much a real-life pen testing skills, recon and understanding of the platform is the key. Very well down to the author.
Got root from www-data, with an exploit that was used in an other HTB box a few months ago. All in all, had some fun and learned some stuff with this one, so, thanks @askar !
Can I DM anyone about the www-data > user path ? Thought it was SQL related at first, but it turns out someone just left that open while popping the box. Can’t really see anything, now, would love to know !
Finally rooted, after 3 frustrating days…
My hints:
USER: everything is said already in the forums about the bad characters. Pay attention to escape things you do not need or just give them what they want. Also the script is not ending after it sets the payload