Wall

rooted

so i have made a python script to bruteforce the API, it rocks, but it is taking ages…

Type your comment> @igaralf said:

so i have made a python script to bruteforce the API, it rocks, but it is taking ages…

Are you sure it’s working as intended? It should take seconds. The pass is among the first 50. (You can PM me your script if you’d like)

is the username for the c***** a guesssing game or is it default?

nvm got it!

i writed script to bruteforce the login page and got the password but i would like to know how to bruteforce the api part i dont know what data to send ( I tried ad***=&pass***=) but it keep saying unauthorized

I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.

I enjoyed the box. Thanks @askar … To anyone that is struggling the hints that are listed should be more than enough to get you there. I made this way harder than it had to be.

Type your comment> @tang0 said:

I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.

Nope. That mechanism is kinda sketchy but our best guess is that whenever you get 403 forbidden is because of the usage of some restricted chars, like space for example. That could also be used to verify (kinda) your payload being legal

@badman89 it could easily be guessed but could even easier be rocked

is it normal to be getting 403s on the m**n.gt.pp ?

Can somebody give me a hint? Found the usual files and one protected folders, others also have mentioned already. Please PM me.

NVM found it

Got root. I can try to give you hints if you PM me.

I found .php, p**.php, /s*****-s*****, and /m*********. I don’t understand the VERB hint or how anyone discovered c*****. Can anyone PM me for what the next step should be?

This one was weird. Didn’t like that you get root and can get user and root flag but oh well!

@gNarv3 said:

This one was weird. Didn’t like that you get root and can get user and root flag but oh well!

The way for just User s***** is actually quite nice. I think the path straight to root was not intended.

[long and kinda misleading question about cve]
EDIT: got www shell\nCheck what special chars are not allowed in desired field. Remove them completely, you can divide rce into as many parts as you want.

I wonder if it is possible to crack hashes from db and restricted area? Has anyone done this?

Type your comment> @sazouki said:

i writed script to bruteforce the login page and got the password but i would like to know how to bruteforce the api part i dont know what data to send ( I tried ad***=&pass***=) but it keep saying unauthorized

check the response, should be ‘Bad credentials’

For those having issues with the CVE exploit. Using the CVE exploit requires people NOT modifying the only poller configuration, especially the name. For goodness sake, duplicate it and modify it to your heart’s content. Also, read the CVE write-up by @askar, who I think is also the box creator.

Can someone DM me, I can’t figure out what the “VERB” is after getting the m*********/ and a*.*** and p****.***.

Not a fan of having to brute force anything. That was a bit on the annoying side. Though getting around the CSRF was pretty fun. The next few steps were pretty standard stuff, though I did learn a few tricks. All in all it was okay.

I’m having trouble modifying the exploit and can’t seem to get it to work. It doesn’t seem to connect to my machine and I can’t figure out why.

Could somebody PM me and help me out a little bit?