Bounty

Can someone please let me know what kind of payload to use. I know what file I need to upload but I keep getting 500 error whenever I try to access it after doing the upload

Finally got it! Awesome box!

what wordlist are u guys normally using to find the directories? i been enumerating this box for a whole day and found couple of 301 directories and when i tried to access all are 403 forbidden and an aspnet_client directory. cant rather find the directory to upload as there were people mentioning in this thread that there is a directory where we can upload for rce. a nudge in the correct path would be gud.
i also exif the image where 2 similar images were in it.

@strolling33 said:
what wordlist are u guys normally using to find the directories? i been enumerating this box for a whole day and found couple of 301 directories and when i tried to access all are 403 forbidden and an aspnet_client directory. cant rather find the directory to upload as there were people mentioning in this thread that there is a directory where we can upload for rce. a nudge in the correct path would be gud.
i also exif the image where 2 similar images were in it.

Are you searching for files as well as directories? Think about what file extensions you are searching for. What type of web server is it, and what framework is running on it? What type of files may you find used by that framework?

I have code execution on host, but any type of msf venom payload I try just returns a 500 error. I know what architecture the machine I running, what variant of host os, and have tried various types of shell, reverse/bind/powershell. Have tried enumerating machine from within the command based webshell, but still no shell. Any guidance? Thanks

Can someone give me hint on the initial attack vector on this machine? dirb and burp havent given me luck in this challenge.

@MaTRiX13 said:
Hi I found rce.It is working sometime but it isn’t working sometime Why?..Hint Please PM…

I see the same effect. Anyway there’s a delayed script every seconds which it’s deleting content. I don’t know why sometimes is working and sometimes is not. It’s not a problem of refreshing browser and I get 404 error.

Can someone give me hint how to bypass the upload? I tried many techniques, but unsuccessfully.

rename :slight_smile:

finally i got root
take many day for finding exploit :smiley:

I’ve figured out how to upload files, which file to upload, and what language can be used for RCE. However, normal msfvenom payloads aren’t working for a reverse shell. Can someone PM me a hint on the payload to get the reverse shell?

Same for me - been at this 2 days. Multiple payloads, exif approach too. No joy :anguished:

Even just trying a very simple wshell way is not going anywhere…

Well now I feel like I’ve tried everything. Including: MSFVenom ASP payloads, echoing out a FTP script on the victim to download nc.exe, echoing out a wget.vbs script to try to transfer files, putting PowerShell scripts onto the victim to create a reverse shell…

I don’t understand how other people are transferring arbitrary files easily… I’ve exhausted every tool in my toolbox. I can’t get a reverse shell at all… any hints would be seriously appreciated.

@panic said:
Well now I feel like I’ve tried everything. Including: MSFVenom ASP payloads, echoing out a FTP script on the victim to download nc.exe, echoing out a wget.vbs script to try to transfer files, putting PowerShell scripts onto the victim to create a reverse shell…

I don’t understand how other people are transferring arbitrary files easily… I’ve exhausted every tool in my toolbox. I can’t get a reverse shell at all… any hints would be seriously appreciated.

This comment should be mine lol

FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

@panic said:
FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can’t manage to embed the payload within that particular file and have launch a reverse shell from that.

think about the platform bounty is running on.
And that goes from multiple angles… what web server is running and what kind of files are associated? and what OS is running and what can you do with that?

got user, but at a loss with the priv esc…

@0x23B said:

@panic said:
FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can’t manage to embed the payload within that particular file and have launch a reverse shell from that.

I would also appreciate a nudge on file upload. I have found a couple of allowed formats, but not sure if I can use them