Curling from Hackthebox tips and hints

Some tips and hints for Curling VM https://www.hackthebox.eu/home/machines/profile/160 

Quite easy and interesting machine. I’ll publish full walkthrough, once VM is retired.

So, some tips:

  1. Enumerate not only HTTP folders, but also files with zip,txt,pdf extensions.
  2. Many modern CMSes allow to edit themes/files through admin interface. Dirbusting/wfuzzing can help to find appropriate credentials.
  3. Take a look at backups. They are often stored in zip,bzip,tar archives. In some cases they use some combination of compression algos, for example tar+gzip. In some cases file utility can help, in other cases googling for file header may give a clue.
  4. Curl, admin folder and cron-like activity are the key for root flag.

Try harder, enumerate more and good luck.

Leave a reply