Wall

I have tried rewriting this exploit, and it simply isn’t working. I’ve also tried to exploit manually, but I’m continually getting 403s once I put a space in the input field. I’ve encoded the space and same thing. This is frustrating…

Rooted. Box as a whole seems too contrived. Curious if there’s more than one way to root. Path I took was a bit underwhelming.

Hints for user: once you get past using the right verb, you’ll hit the “wall.” Keep trying different things and you’ll get past it. Can be done from the UI if you understand the exploit. Then enumerate some more to get user, or you can go straight to root and then get user after.

Hints for root: standard Linux enumeration plus another exploit.

Feel free to PM if you’re stuck.

If this is too much to ask just say so but… should I be “dictionarying” m********* or c*******? I’m trying to use h**** for it but I’m new to it so I can’t tell if what I’m doing wrong is syntax or what I’m going after.

Thanks in advance :slight_smile:

EDIT: I think I was using the wrong approach. Tried piping in my passwords of choice to something else that I had come across but though I’d need to know the creds already

Can anyone who did not find the password by “guessing” but by brute forcing- contact me and tell me his/her way to approach ? I build a small script using curl to read cookies+token and use them for request but it fails all the time.

Root hint:
Do your basic enum. and watch the output very carefully. The exploit is straight forward. and once you found it, don’t spoil other people. clean up your tracks quickly. good luck

Init HINT for dumb people like me who can’t find с*******:

  1. First you need to find m*********
  2. to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.

After that, pay all attention to the found m*********, but, as already said, you do not need brute force!

  1. Then the question arises: what can be done other than brute-forcing?
  2. Here you need a hint about the teacher and verbs.
  3. however, this was not enough for me: note that sometimes a slash can be crucial
  4. after that you should look at what the server told you.
    I hope I haven’t suggested too much?

my nc is not getting anything >< darn exploit… help anyone ??

Type your comment> @Warlord711 said:

Can anyone who did not find the password by “guessing” but by brute forcing- contact me and tell me his/her way to approach ? I build a small script using curl to read cookies+token and use them for request but it fails all the time.

If you know the exploit you need to use, you can easily convert that into a brute force script, that’s how I did it (even after guessing it, I made the script anyway)

Anyone got his exploit to work after getting past “the wall” ? The first CVE, to get user
Edit: currently with my shell as www-data

ROOTED ,
pm me for hints

For those struggling with the correct payload to get a shell, remember bash can decode things in a certain base. Remove if it’s too much info xD

Hey guys !

Seems a lot of you have a some troubles with the machine ! well let me clarify two points:

1- you don’t need to perform any OSINT to solve the machine, all the required steps are existed in the machine itself.

2- you don’t need to “HARD guess” anything (passwords or paths) , you can find what you want easily in the common used wordlists.

I hope you guys enjoyed it or at least gained some new knowledge from it , and if you need any help just ping me :wink:

Cheers !

I have problems to make the payload work fine. It looks that everything is correct but I can’t get the reverse shell working… any hint for this? please PM and thanks in advance.

Anyone wanna team up for this box ?

@askar thx for the machine, I’m enjoying it very much, although or maybe even because I’m struggeling with the exploit right now.

Type your comment> @b3c0n said:

my nc is not getting anything >< darn exploit… help anyone ??

i am having the same issue

I see that some have gotten w**-d*** shell, but is the forbidden error in the c******* part of the game? In running the published exploit?

@Tohzzicklao said:

For those struggling with the correct payload to get a shell, remember bash can decode things in a certain base. Remove if it’s too much info xD

Hmmm, and that has to be carefully crafted, we don’t want a rm -rf / in there :wink:

@toka said:

for people struggling at getting initial shell, you have to modify your exploit code

  1. check this box’s name, why it says “wall”?

I rooted with a command left by someone else, can you PM me what the box name has to do with it?

as a dum dum, im really not getting the VERB hint. Can someone PM me some help?