Wall

HTB Content Machines
341

■■■■

this

box

342

Rooted:

This one was an interesting ride for sure. I get the feeling this box was all about teaching the main challenge and how it’s execution works. Which is okay because I learned a lot in the process.

To those struggling - Your scanners should give you all you need to get started. You actually need to learn how to make the exploits work, and once you are in it’s just some enumeration + CVE.

PM me if you need some help.

343

Learned a ton on this guy. Kudos to askaar for such an awesome box. Ended up modifying his exploit to pop root.

PM for hints / nudges, took a few myself.

344

Spoiler Removed

345

Type your comment> @NikolaITA said:

Any hint on the “verbs” hint? I’m not a native english… I’m at the point of “bad credentials” reply from API except one cred that results in a 403. Not sure i’m on the right path.

“get" is verb,you can try another way ,have a try~

346

I’ve finally got root. I learned a lot. Now it’s time for user.

347

Got user and root about an hour ago. Great box :wink: Took 3-4 days off and on, with a LOT of help from members here in the thread. Thank you all so much for the hints/help.

348

Hi everyone,
I am super stuck on user…
found:
/a*.pp
/p**el.pp
/m*****ring

Really need a nudge :frowning:

349

Spoiler Removed

350

Type your comment> @hanter said:

hi can give login and password to c*******.
I use hydra -l admin -P /usr/share/wordlists/rockyou.txt -V -s 80 10.10.10.157 http-post-form “/c*******/index.php:useralias=^USER^&password=^PASS^&submitLogin=Connect&centreon_token=5f923252acb7ba121a306c3fd683ce79:Your credentials are incorrect.”

for place this-l admin can be insert-L/usr/share/wordlists / rockyou.txt

Thank you :slight_smile:

351

I liked the box, especially getting foothold on the machine. I learned a lot there, at first I didn’t GET the teacher hint, but after using my HEAD I found it out :wink: I think a specific specification was written by teachers.

From initial shell to root was a piece of cake.

352

Got root, found it to be quite a nice box. Also got root without obtaining user though.

The authors script won’t work straight out of the box but it is a very useful resource to find out the steps required for manual exploitation.

If you require any hints feel free to PM me.

353

FYI - once you figure out how to privesc. Fully interactive shell doesn’t work well for privesc. At least it didn’t for me.

354

I’ve altered the RCE to download something from my webserver and execute it for a shell. I am getting a notification that it gets downloaded, but it wont trigger i shell? :frowning:

355

finally root are not easy

356

root was mega simple, but getting initial shell took… a while. DM if you want

357

@l30n said:
FYI - once you figure out how to privesc. Fully interactive shell doesn’t work well for privesc. At least it didn’t for me.

It worked perfect (except for visual tab completion, but functionality worked) for me after giving it 2 commands.

358

Hydra didn’t work in /c******* page, but works with the API.
PM if u need help c:

359

Spoiler Removed

360

Finally rooted. Ended up doing every step manually. If anyone needs a hand, let me know.

Just curious: Was there any way to get that password without brute forcing/guessing?