Official Mr. Burns Discussion

Official discussion thread for Mr. Burns. Please do not post any spoilers or big hints.

Oops “Allowed memory size of 134217728 bytes exhausted”

hint, anyone?

I got shell, but I can’t read the flag due to open_basedir restriction, any idea?

I have the feeling that I’m missing something.

Thanks!

@n3b0r said:
I got shell, but I can’t read the flag due to open_basedir restriction, any idea?

I have the feeling that I’m missing something.

Thanks!
pm me, maybe I can help you!

Type your comment> @p4w16 said:

@n3b0r said:
I got shell, but I can’t read the flag due to open_basedir restriction, any idea?

I have the feeling that I’m missing something.

Thanks!
pm me, maybe I can help you!

Done! Thanks man

So, i need help on this :(. I am not sure where to continue. I’m so lost!

! 1) I see the decs and i can read somethings

  1. I can’t get any shell (not even a clue what shall i google that could help)

! 3) I have read the code, not sure if it is a problem in fpm/nginx or in the code itself

I believe the issue must be similar in imagetok. I just lack the knowledge of what i need to search for.

I seem to be stuck at this one…
Just to make sure, do you need to exploit/use multiple endpoints to get the shell?

Tastro , I have managed thanks to some hints, it is really one of those that you need to go step by step removing barriers. There are many ways to get it.

! For instance one thing that is key is to realise the difference between the info endpoint of the docker image and the info endpoint of the htb site. This will give you the first part where to look.

@nadid said:

Tastro , I have managed thanks to some hints, it is really one of those that you need to go step by step removing barriers. There are many ways to get it.

! For instance one thing that is key is to realise the difference between the info endpoint of the docker image and the info endpoint of the htb site. This will give you the first part where to look.

Thanks, that’s a good hint! Got shell now!

Finally got the flag! It was hard but I loved it. If someone need help pm me.

I am able to execute PHP commands but still unable to get shell due to disable_functions. Any hints how to bypass this?

any hints for how did you get the shell is there any hidden directory where there is a file upload or something?

This was a great challenge, loved it!

Hints to those stuck:

  1. The docker is actually very slightly different to the hosted one. The difference is a hint
  2. You should be able to find one fairly easy to exploit vuln. You’ll need that but not on its own.
  3. A genius did a writeup of how to exploit 1)
  4. To go from PHP RCE to shell RCE you need another reasonably well-known “feature” of a popular PHP function

I need a hint on the last piece of the puzzle.
Please, DM me to discuss about how to go from PHP RCE to native RCE.

! I tried a few known paths, including the fm st, bs d*****e fs and custom e*n. But no luck.

I’m totally stuck right at the beginning. I have found one vuln, but was not able to get anything out of it.
Anyone willing to help?

In case someone else has the problem that the ./build_docker.sh does not work out of the box.
Try to modify Dockerfile to use “FROM alpine:latest” instead of “FROM alpine:edge”.

Hi everyone. Can someone give me a first hint? Do i start with LFI in order to go deeper?

Can someone help me for the challenge?