Bounty

Hi,

Just rooted the machine.

@J3rryBl4nks said:
Is anyone able to get a stable shell? Mine keeps getting a 500 after 2 requests.

I got this too but after i refresh the page it was ok

@Waffles said:
Having trouble with PrivEsc, if somebody feels like giving some advice please PM me.

Don’t over complicate, find the arch of the machine and follow this rabbit :wink:

@J3rryBl4nks said:
Is anyone able to get a stable shell? Mine keeps getting a 500 after 2 requests.

Yup, very stable until someone reset the box :wink:

Just remember:

  • If you upload something and get 400 error then the upload failed despite the “success”
  • If you upload something and get 500 error your payload is wrong

Before reset the box, try with an image, if you can get it after, then Bounty is working well.

@mpgn said:
Hi,

Just rooted the machine.

@Waffles said:
Having trouble with PrivEsc, if somebody feels like giving some advice please PM me.

Don’t over complicate, find the arch of the machine and follow this rabbit :wink:

Holy ■■■■!

I spent so long on getting a stable functional reverse shell that I didnt even notice this part. Literally after you said that the light bulb turned on and and 5 min later i had root.txt

Found interesting files. Do a google search and using dirb is enough. I think this step is uncommon so maybe you could skip it (for anyone found nothing in Web Server) :smiley:

I’m uploading a file generated with msfvenom compatible with the web arch of this server, meterpreter/reverse_tcp and dosen’t work, does nothing, i tried also in one of my virtual machines with the same webserver installed on it and does not work the same. I think msfvenom has problems to generate working files for this specific web arch, has any of you the same problem?? Should i find an alternative way than msfvenom and metasploit handler to get a reverse shell??

My web shell keeps getting stomped so fast I can’t enumerate anything.

Guys I strongly recommend doing this box in a private (FF) or incognito (Chrome) window and be sure to delete all site data (cookie, cache, offline data, etc.). Once I figured this out (with the help of @im4x5yn74x), I didn’t have to keep resetting the box. I was able to recover it after it started to hang, which it did A LOT. Practically after every “major” command I ran. Until I caught onto this, I was unable to “execute” despite my other successes. I hope this helps someone.

Remix: Ok, it’s actually better without the private/incog window. That way you can delete the site data when you need to without sometimes needing to reopen the window.

yeah, delete cookies if it hangs. wait for a moment if it throws 500’s at you if that doesn’t work.

Got root on eu-free without a single reset necessary. Just a lot of patience. Don’t enter the race of who can overwrite stuff faster, just give it a minute and try again.

Could anyone nudge me in the right direction for priv esc. Have a couple ideas but shaky on the execution part…

hello everyone, I found some pages about uploaded stuff… but I have no clue how to use that. Could anyone give me a little push in the right direction?

I’m able to upload, and I know where they are going to. Having issues with payload. Can someone pm me so I can just check I’m not barking up the wrong tree

@AgentTiro said:
I’m able to upload, and I know where they are going to. Having issues with payload. Can someone pm me so I can just check I’m not barking up the wrong tree

seconded, same here

@digitalp2k said:

@AgentTiro said:
I’m able to upload, and I know where they are going to. Having issues with payload. Can someone pm me so I can just check I’m not barking up the wrong tree

seconded, same here

third that, tried a lot of formats with msfvenom but no luck

PM me for hints on payload for initial foothold.

Got root finally. That was a doozy and a fun one, especially after getting past the unstableyness. Shout out to @mrb3n for the good stuff :slight_smile:
Best tip for this box: mind the architecture.

@valkyrix said:

@digitalp2k said:

@AgentTiro said:
I’m able to upload, and I know where they are going to. Having issues with payload. Can someone pm me so I can just check I’m not barking up the wrong tree

seconded, same here

third that, tried a lot of formats with msfvenom but no luck

And … me too… I have tried many options like shell, reverse, web and exif in many format asp, aspx, php. Thus, I think my way to upload is not correct. I would appreciate help to learn something new.

Rooted the SYSTEM…PM for help !!!

@bonjourpancake said:
Could anyone nudge me in the right direction for priv esc. Have a couple ideas but shaky on the execution part…

so uh I had it right the first time but I just had to reset the box… rip :frowning:

Got root ! available for PM
small advice, prepare everything in advance so you’re not disturbed by other people trying the same thing :slight_smile:

@darkz3ro said:
easy box but unstable , i don’t know if someone deleting files but i can’t have more than 1 minute with a shell then i need to reset the machine.

How are you able to access your webshell? Whenever I go to the Spoiler Removed - Arrexel it just gives me a 403. And of course a direct answer to this would be a spoiler but could you nudge me in the right direction. I have exhausted my word-lists for dir busting.