Bounty

@Cryovenom said:
This box is kicking my ■■■. I found a directory where I’m assuming I should be able to place a file to give me a reverse shell, but I can’t seem to figure out how to upload a file at all. I’ve thrown every enumeration tool I’ve got at this thing and come up empty handed. I thought I found an rce vuln but it seems that all I can do with it is DoS, which isn’t helpful. I’ve spent way too much time googling things related to the name of the box, the architecture of the web server, and the picture on the one static index page…

Can someone give me a hint on getting an initial foothold?

If you haven’t found a place to upload, maybe you should focus your enumeration on the server technology. You don’t need a huge wordlist, just play with parameters. Think about the kind of pages that you may find.

I know what to upload and where, but still not working… If anyone is willing to help me see what I’m missing a PM would be great. :slight_smile:

@NinjaRockstar said:
I know what to upload and where, but still not working… If anyone is willing to help me see what I’m missing a PM would be great. :slight_smile:

Same here, any kind of hint on the payload would be greatly appreciated.

@NinjaRockstar @natalioruiz If you google for exploits by uploading [thing you already know] you find an article with a small PoC - you can use this to check if code is executed. Replace the PoC code lines by a command for executing system commands in that language and parse the multi-line output.

Stuck on this box. Enumerated and found a way to upload files, know where the files are uploaded, bypassed file upload protection, and know that I can run code in a certain language, but any useful code in that language, such as running a system command, results in a 500, apparently because the box’s designer intentionally made it so that specific libraries needed to run commands etc. would not function. No matter how simple the payload, it just doesn’t work. Have yet to find a way past this problem.

SOOO… no ■■■■… there I was. Able to upload to the server but unable to execute or find the right payload (can’t figure out which is the problem). Messed around with file name manipulation while uploading with burp to no avail. Can anyone give me a bit of a nudge on how to get any presence on this box? PM if possible.

Found a file I can upload and mess with… just can’t figure out which coding language / syntax to utilize to take advantage of it…

got a shell. Any tips for finding user.txt? I feel like im missing something

It’s a windows box… all the users are in a certain users folder… all users have a desktop…

Hi I found rce.It is working sometime but it isn’t working sometime Why?..Hint Please PM…

@RageQuit, yeah I missed the obvious there somehow. Stuck on Privesc now, any hints would be appreciated

Im probably missing something stupid. I can run almost any command I want on the machine using an uploaded web command shell, except for getting a reverse shell which results in a 500 error. Any hints on where I should look next? Thanks

Rooted the box last night. :smile:

Really good box, I learned a lot. Thank you @mrb3n

I don’t get it. Everyone gets root so easily yet here I am… trying every privesc exploit from x86 and x64 suggesters and still staying as a user… :confused:

@Thun said:
I don’t get it. Everyone gets root so easily yet here I am… trying every privesc exploit from x86 and x64 suggesters and still staying as a user… :confused:

same place ;(

Struggling to figure out what to upload. Tried all of the things I can think of and still getting Invalid File. Any hints for how I can figure this out or do I just need to iterate through even more?

Can someone please let me know what kind of payload to use. I know what file I need to upload but I keep getting 500 error whenever I try to access it after doing the upload

Finally got it! Awesome box!

what wordlist are u guys normally using to find the directories? i been enumerating this box for a whole day and found couple of 301 directories and when i tried to access all are 403 forbidden and an aspnet_client directory. cant rather find the directory to upload as there were people mentioning in this thread that there is a directory where we can upload for rce. a nudge in the correct path would be gud.
i also exif the image where 2 similar images were in it.

@strolling33 said:
what wordlist are u guys normally using to find the directories? i been enumerating this box for a whole day and found couple of 301 directories and when i tried to access all are 403 forbidden and an aspnet_client directory. cant rather find the directory to upload as there were people mentioning in this thread that there is a directory where we can upload for rce. a nudge in the correct path would be gud.
i also exif the image where 2 similar images were in it.

Are you searching for files as well as directories? Think about what file extensions you are searching for. What type of web server is it, and what framework is running on it? What type of files may you find used by that framework?