[terk12]

How did you guys figured out the root

[mrtyry3132123]

why am i getting an error

 ssh -i id_rsa margo@10.10.11.33
Load key "id_rsa": error in libcrypto
margo@10.10.11.33's password:

I had the same problem, fortunately chatGTP fixed it and formatted the key.

dos2unix id_rsa
vim --clean id_rsa

in vim:
:wq

[khairy24]

i cant login with root:root in http://caption.htb:8080/signin 
2 days ago i could login with root:root successfully but now i cant 
i tried to change vpn and reset the machine but nothing help

[tupaya_p1zd4]

i cant login with root:root in http://caption.htb:8080/signin 
2 days ago i could login with root:root successfully but now i cant 
i tried to change vpn and reset the machine but nothing help

They patched this machine. That was unintended solutions.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[tanazy]

Hello, could you please advise how to access http://10.10.11.33:8080/ after the patch? (root
no longer works)

[ARhOmOuTEd]

Who can help with the user part?

[miserey]

This will help with getting a foothold as margo the intended way: https://github.com/BishopFox/h2csmuggler

[mazafaka555]

This will help with getting a foothold as margo the intended way: https://github.com/BishopFox/h2csmuggler

hhhmmm... i'm chasing after intended solution for the moment & still failing to make it right. They seemingly patched everything.
Even previous ACL HAproxy bypass with `//` doesn't work anymore.

I've found XSS via Varsnish cache poisoning to steal admin's cookie & get inside (although, there's no difference between user or admin in the interface. Kind off lazy copy-pasta shitty machine).

Tried different fuzzing & methods to bypass HAproxy, or poison Varnish cache or HTTP/2 req smuggling via manual & automated approach... still nothing.
Used different tools (including the one you've mentioned).
https://github.com/intrudir/BypassFuzzer
https://github.com/BishopFox/h2csmuggler
https://github.com/defparam/smuggler.git

Varnish is also vulnerable to different HTTP/2 req smuggling attacks (lookup some CVEs).. however..
There's a tricky part here... HTTP/2 is a binary proto & it only works via TLS/SSL connection..
i also tried to modify some of these tools .... and i got nothing yet. Any tricks here ?

[Miek22]

https://www.hackthebox.com/machines/caption
https://app.hackthebox.com/machines/625

Have fun and good luck everyone!

https://pbs.twimg.com/media/GXR-8C8WcAIbnPF?format=jpg

It got patched, someone has the complete writeup?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[Osminogka]

This will help with getting a foothold as margo the intended way: https://github.com/BishopFox/h2csmuggler

hhhmmm... i'm chasing after intended solution for the moment & still failing to make it right. They seemingly patched everything.
Even previous ACL HAproxy bypass with `//` doesn't work anymore.

I've found XSS via Varsnish cache poisoning to steal admin's cookie & get inside (although, there's no difference between user or admin in the interface. Kind off lazy copy-pasta shitty machine).

Tried different fuzzing & methods to bypass HAproxy, or poison Varnish cache or HTTP/2 req smuggling via manual & automated approach... still nothing.
Used different tools (including the one you've mentioned).
https://github.com/intrudir/BypassFuzzer
https://github.com/BishopFox/h2csmuggler
https://github.com/defparam/smuggler.git

Varnish is also vulnerable to different HTTP/2 req smuggling attacks (lookup some CVEs).. however..
There's a tricky part here... HTTP/2 is a binary proto & it only works via TLS/SSL connection..
i also tried to modify some of these tools .... and i got nothing yet. Any tricks here ?

Same here, bro. I tried to XSS on the firewall page, but even the admin can't get past this proxy. Do you have any ideas?