Bounty

cant find user.txt anywhere, any hints?
edit: nvm :slight_smile: i forgot how to use dir

Hi, I’m still quite new to web applications side of things. I managed to find something that I know it will be used. But for that I would need to do some action before. Can anyone give me a hint or point me to a resource so that I can learn about it? If you prefer you can DM me

Can’t get my rev_tcp to connect back. Built it with file format and arch in mind and can upload it but nothing back when i visit it, no events in wireshark for some reason. Anyone able to tell me what im doing wrong with it or just plain say im going the wrong route :slight_smile:

could someone help i run dirb i found directory but nothing else i enumerate something about asp.net but i don’t know what to do

Anyone have a pointer for the shell portion? I believe I know the file I need to upload to do RCE, have tested this by executing a ping to myself and I see the results in tcpdump. I have not been able to figure out how to get the RCE to display anything back to me or to execute webshell’s (I always get a 500 error). Any pointers let me know, feel like I am close just must be overlooking something simple.

Hint about uploading file. I used bull Injection, bypass using double extension and Invalid Extension Bypass with no success. In addition I tested with whole extensions I know in order to define whitelisted/blacklisted extension

There is an article how you can execute commands after some generation IIS. But I couldn’t copy and use this code. After rewrite starter works

@Maniek said:
There is an article how you can execute commands after some generation IIS. But I couldn’t copy and use this code. After rewrite starter works

Would you mind to send me (PM) the link of this article ?

Thnx

Got root, PM me for any hint :wink:

hahahahah, i don’t know how HTB accepted this box,
this box is less than script kiddies level :D,
However thanks for the creator

I am doing foothold step. This is super easy if you did Aragog machine :smiley:
Oops. Wrong box!

Interesting and fun box - and humbling … theoretically I should have known about the intital foothold as I worked with that platform / service since a long time. But seems I had to test every not applicable exploit and misconfiguration until I googled the correct one.

My hint, with hindsight: If you find some non-working exploits / interesting articles that sound as if they should apply here but aren’t - take a look at the names of the guru researchers whose names come up again and again - the guys who found several exploits. Check what else they have written …

Having issues with how to make use of the RCE, can see ping when execute, but haven’t been able to make any use of it, partly because I can’t get any output working in my code so I can see whats what. Anyone able to drop me a message or a push?

@J3rryBl4nks said:
Is anyone able to get a stable shell? Mine keeps getting a 500 after 2 requests.

ITs because there is too many people overwriting your file. You just need to use your initial shell to create another one that is a bit more stable. Think about things you can upload perhaps things that are available in linux by default that you usually use.

Someone able to send me a DM with a small hint on how to get the initial shell?
I think I have RCE, managed to find an example showing that I have RCE but every further step throws a error 500 :frowning:

Please help, I’ve found some directories but no file so far, always havin 403 forbidden error, whats next?

got root :slight_smile: dug a bit further based on some pointers…

Finally I got a limited webshell. Anyway I have a problem for establishing a real reverse shell connection. I tested all I know. Please I really appreciate a hint via PM.

@cvrloz said:
Please help, I’ve found some directories but no file so far, always havin 403 forbidden error, whats next?

any hints uploading the file?

Hi, Have found the page and corresponding directory . Have established what can be uploaded but am having trouble getting that uploaded file to work how I want it to. Have tried all the methods I know about by using burp. A small nudge would be appreciated.

Thanks