Bounty

Can someone give me hint how to bypass the upload? I tried many techniques, but unsuccessfully.

rename :slight_smile:

finally i got root
take many day for finding exploit :smiley:

I’ve figured out how to upload files, which file to upload, and what language can be used for RCE. However, normal msfvenom payloads aren’t working for a reverse shell. Can someone PM me a hint on the payload to get the reverse shell?

Same for me - been at this 2 days. Multiple payloads, exif approach too. No joy :anguished:

Even just trying a very simple wshell way is not going anywhere…

Well now I feel like I’ve tried everything. Including: MSFVenom ASP payloads, echoing out a FTP script on the victim to download nc.exe, echoing out a wget.vbs script to try to transfer files, putting PowerShell scripts onto the victim to create a reverse shell…

I don’t understand how other people are transferring arbitrary files easily… I’ve exhausted every tool in my toolbox. I can’t get a reverse shell at all… any hints would be seriously appreciated.

@panic said:
Well now I feel like I’ve tried everything. Including: MSFVenom ASP payloads, echoing out a FTP script on the victim to download nc.exe, echoing out a wget.vbs script to try to transfer files, putting PowerShell scripts onto the victim to create a reverse shell…

I don’t understand how other people are transferring arbitrary files easily… I’ve exhausted every tool in my toolbox. I can’t get a reverse shell at all… any hints would be seriously appreciated.

This comment should be mine lol

FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

@panic said:
FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can’t manage to embed the payload within that particular file and have launch a reverse shell from that.

think about the platform bounty is running on.
And that goes from multiple angles… what web server is running and what kind of files are associated? and what OS is running and what can you do with that?

got user, but at a loss with the priv esc…

@0x23B said:

@panic said:
FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can’t manage to embed the payload within that particular file and have launch a reverse shell from that.

I would also appreciate a nudge on file upload. I have found a couple of allowed formats, but not sure if I can use them

Rooted, finally. pm if anyone needs hints

I have nt authority\system … but website says the hash I got is not correct for Bounty… hrmm… do I need to hunt around? or is something messed up?

Got Root! Great machine!
But can someone please pm me how you got meterpreter session? I was not able to get meterpreter at all…

First I tried to upload some webshell but I couldn’t manage to get it executed, so I tried some hello world script: same (http error 500) :frowning:

@techdad said:
website says the hash I got is not correct for Bounty… hrmm… do I need to hunt around? or is something messed up?

Predictably, after a reset I got a different hash that was fine.

To whomever uploads a modified flag file: you are a ^%&@%&#^%@&%**QWE&^*E!

the box unstable

@p1d0f said:
the box unstable

I think it is more the users/attackers that make it so when trying the same as you are doing