Yeah, I could use a bit of help on this one, I see the obvious path for the foothold but no idea how to trigger it. Would appreciate some reading material or a nudge
I see absolutely nothing obvious. There's u*.j that's pretty much happy about anything you feed it, except for a certain type.
Stuck there, how did 5 people find this in under 1h? This keeps puzzling me, would love to watch over someone's shoulder how they approach this stuff and get it so fast.
User blood is gone, so I think I'm gonna give up disappointed as every Saturday.
FYI, sample area (upload file) is functioning with chromimum but not from Firefox for me. I'm using Kali Rolling.
Gotta be kidding me. Cool I wasted my time for 2h with curl because that's what we are doing here on such a thing that's not doing what you might expect.
> @W4RR10R said:
> Does this box require setting up p**tfix or something similar? If so, could one point me to good rescources to securely deploy an S**P server? Thaks
You can do:
apt install postfix
hostnamectl and /etc / hosts to configure your hostname (FQDN)
/etc / postfix/ main.conf and master.conf to configure postfix
systemctl start postfix and fix any remaining errors
mail [email protected] to test
(sorry for the spaces, the waf triggered)
But the box won't know where to send the email cause it doesn't connect to the public internet and so it cannot query real nameservers. Even if it could, your hostname won't be there. And even if it would be there, cause you bought a domain, it still wouldn't be able to reach you unless you enter you VPN IP into the public DNS, and you VPN IP (tun0) changes each time you log in.
It won't happen, but why not try a gmail address, never seen it on a box, maybe something new? I doubt it, to dangerous to leave the private shooting range we have here
But I hope I could teach you a practical bit at least.
I'm pretty sure to know what is the vuln to exploit. I know uploading a certain filetype leak a lot of informations about where the uploaded file is saved. I can upload my se*******d o****t "s****on" file. But cant find the good path to make my JS******D point to it.... If someone can give a nudge. Or share some toughts.
Yeah I saw the path disclosure, but it's not helpful at this stage. If you can wait till tomorrow I can team up with you, although I'm doing this on very low priority right now.
Any nudges for root? All my enumerations have failed me so far.
Enum carefully the network environment, google and you are in.
You are in ? Great ! How much you know about a common way to communicate between application and the environment you are in ?
Comments
Yeah, I could use a bit of help on this one, I see the obvious path for the foothold but no idea how to trigger it. Would appreciate some reading material or a nudge
FYI, sample area (upload file) is functioning with chromimum but not from Firefox for me. I'm using Kali Rolling.
I see absolutely nothing obvious. There's u*.j that's pretty much happy about anything you feed it, except for a certain type.
Stuck there, how did 5 people find this in under 1h? This keeps puzzling me, would love to watch over someone's shoulder how they approach this stuff and get it so fast.
User blood is gone, so I think I'm gonna give up disappointed as every Saturday.
Anger is more useful than despair - T800
Type your comment> @choupit0 said:
Gotta be kidding me. Cool I wasted my time for 2h with curl because that's what we are doing here on such a thing that's not doing what you might expect.
Anger is more useful than despair - T800
Type your comment> @sparkla said:
I found a l******.t*t file also. Concerning the author of the website code, with a link.
That's usually just the author of the free html-template.
Anger is more useful than despair - T800
Type your comment> @sparkla said:
Yes, nothing interesting.
Does this box require setting up p**tfix or something similar? If so, could one point me to good rescources to securely deploy an S**P server? Thaks
> @W4RR10R said:
> Does this box require setting up p**tfix or something similar? If so, could one point me to good rescources to securely deploy an S**P server? Thaks
You can do:
apt install postfix
hostnamectl and /etc / hosts to configure your hostname (FQDN)
/etc / postfix/ main.conf and master.conf to configure postfix
systemctl start postfix and fix any remaining errors
mail [email protected] to test
(sorry for the spaces, the waf triggered)
But the box won't know where to send the email cause it doesn't connect to the public internet and so it cannot query real nameservers. Even if it could, your hostname won't be there. And even if it would be there, cause you bought a domain, it still wouldn't be able to reach you unless you enter you VPN IP into the public DNS, and you VPN IP (tun0) changes each time you log in.
It won't happen, but why not try a gmail address, never seen it on a box, maybe something new? I doubt it, to dangerous to leave the private shooting range we have here
But I hope I could teach you a practical bit at least.
Anger is more useful than despair - T800
I'm pretty sure to know what is the vuln to exploit. I know uploading a certain filetype leak a lot of informations about where the uploaded file is saved. I can upload my se*******d o****t "s****on" file. But cant find the good path to make my JS******D point to it.... If someone can give a nudge. Or share some toughts.
Edit: Finally got it! Path is really helpful...
Edit: Rooted. Amazing box! Thx @MrR3boot and @MinatoTW
Anger is more useful than despair - T800
No Idea what it is doing on the backend, like folder structure to get se*******d o****t file
I am able to upload certain files from the service page (except image files) but I cannot find where the file is uploaded. Can someone give a nudge..
Same as above... no idea where to find/use uploaded files. Nudges please
im tryn to read u.jp to see where the files i uploaded go but i get invalid request not sure if im my steps are correct or no
.
@m1r3x how did you find this kinda file, I have already used filter to extract all js files in gobuster. It revealed only u****d.js
Type your comment> @offs3cg33k said:
nvm, I wrote wrong file name by mistake.
⠀
I can see the filepath where it attempts to put the file you upload, just have no idea how to utilize it. Any nudges?
Are we sure that there is any kind of analysis on the uploaded files ?
Rooted, great box
'These violent delights have violent ends'
Got user! Very educating user process.
Type your comment> @Caracal said:
any nudges for root?
Any nudges for root? All my enumerations have failed me so far.
@m1r3x said:
@purplenavi said:
Enum carefully the network environment, google and you are in.
You are in ? Great ! How much you know about a common way to communicate between application and the environment you are in ?
'These violent delights have violent ends'
I got the user (thanks for the nudge @gverre about the s*rial...).
NSE vulners could help you to identify the right security issue...
After, Google to find an interesting article... but before you have to try different things to find the right path... B*rp could help.
Tried everything to enum the right file path for my uploads but couldn't able to figure out. Any nudges
Type your comment> @rahul63425 said:
dm
can someone nudge me on the root part. I think I have figured out something, but can't guess which way to turn it to exploit