Bounty

13468916

Comments

  • I've figured out how to upload files, which file to upload, and what language can be used for RCE. However, normal msfvenom payloads aren't working for a reverse shell. Can someone PM me a hint on the payload to get the reverse shell?

  • Same for me - been at this 2 days. Multiple payloads, exif approach too. No joy :anguished:

    vorlon

  • Even just trying a very simple wshell way is not going anywhere...

  • Well now I feel like I've tried everything. Including: MSFVenom ASP payloads, echoing out a FTP script on the victim to download nc.exe, echoing out a wget.vbs script to try to transfer files, putting PowerShell scripts onto the victim to create a reverse shell....

    I don't understand how other people are transferring arbitrary files easily.. I've exhausted every tool in my toolbox. I can't get a reverse shell at all... any hints would be seriously appreciated.

  • @panic said:
    Well now I feel like I've tried everything. Including: MSFVenom ASP payloads, echoing out a FTP script on the victim to download nc.exe, echoing out a wget.vbs script to try to transfer files, putting PowerShell scripts onto the victim to create a reverse shell....

    I don't understand how other people are transferring arbitrary files easily.. I've exhausted every tool in my toolbox. I can't get a reverse shell at all... any hints would be seriously appreciated.

    This comment should be mine lol

    xMrR0b0t

  • FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I'd never actually used the specific technique... damn it. Lol.

  • edited July 2018

    @panic said:
    FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I'd never actually used the specific technique... damn it. Lol.

    Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can't manage to embed the payload within that particular file and have launch a reverse shell from that.

    OSCP


    0x23b

  • think about the platform bounty is running on.
    And that goes from multiple angles... what web server is running and what kind of files are associated? and what OS is running and what can you do with that?

  • got user, but at a loss with the priv esc...

  • @0x23B said:

    @panic said:
    FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I'd never actually used the specific technique... damn it. Lol.

    Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can't manage to embed the payload within that particular file and have launch a reverse shell from that.

    I would also appreciate a nudge on file upload. I have found a couple of allowed formats, but not sure if I can use them

  • Rooted, finally. pm if anyone needs hints

    VishalBedi

  • I have nt authority\system ... but website says the hash I got is not correct for Bounty... hrmm.. do I need to hunt around? or is something messed up?

    techdad

  • Got Root! Great machine!
    But can someone please pm me how you got meterpreter session? I was not able to get meterpreter at all..

    AmsHusky18

  • First I tried to upload some webshell but I couldn't manage to get it executed, so I tried some hello world script: same (http error 500) :(

  • @techdad said:

    website says the hash I got is not correct for Bounty... hrmm.. do I need to hunt around? or is something messed up?

    Predictably, after a reset I got a different hash that was fine.

    To whomever uploads a modified flag file: you are a ^%&@%&;#^%@&;%**QWE&^*E!

    techdad

  • the box unstable

  • @p1d0f said:
    the box unstable

    I think it is more the users/attackers that make it so when trying the same as you are doing

    Dltd

  • I am still working for several days now on this box, trying to get a shell running. I've tried several ways, but none of them work. My meterpreter shell gets the connection but quits after "Sending stage", another reverse shell closes also immediately.

    I know the server, the supported file type and the supported language, but the reverse shell part drives me crazy... Any hints?

    OSCP


    0x23b

  • Reverse shell seems a little bit tough and unstable.

    Hack The Box

  • I finally got the user and want to share some important steps with you

    • There are some rabbit holes!
    • Do a proper enumeration
    • When you find out what kind of data can be "injected", you're probably on the right track, keep going, there is more
    • It's very easy to verify RCE (like "copy, paste, verify" - that kind of easy)
    • Now you have to find the right payload, which is not that easy, but possible. Shorter payloads will help you understand issues ;-)

    einfallstoll

  • Can anybody pm me,im so stupid-i can upload files,but cant take a shell or smth like that(

    kiriknik

  • @kiriknik said:
    Can anybody pm me,im so stupid-i can upload files,but cant take a shell or smth like that(

    PM'd

    drtychai

  • can someone PM me on what kind of payload should i upload?
    I found a few extensions that are whitelisted but am very lost on what to do next.

  • I struggled with the user portion because the way it's supposed to be done is not that obvious imo - probably a good thing for a challenge lol. Privesc is trivial though.

    nscur0

  • can't even get the initial foothold haha :''v

    Puerkito66

  • I've found where I can upload, and where my uploaded stuff goes to. I have not been able to get RCE from there though. When I bypass the upload filter a few different ways I just get 404 at their destination, or non executable payloads. Any hints on what I might be missing, would appreciate any guidance.

  • @deadbear said:
    I've found where I can upload, and where my uploaded stuff goes to. I have not been able to get RCE from there though. When I bypass the upload filter a few different ways I just get 404 at their destination, or non executable payloads. Any hints on what I might be missing, would appreciate any guidance.

    same situation here, can someone pm me for help ?

  • @dhar40k said:

    @deadbear said:
    I've found where I can upload, and where my uploaded stuff goes to. I have not been able to get RCE from there though. When I bypass the upload filter a few different ways I just get 404 at their destination, or non executable payloads. Any hints on what I might be missing, would appreciate any guidance.

    same situation here, can someone pm me for help ?

    Perhaps others found different solutions, but what worked for me was not trying to bypass the filter at all. I Just uploaded the file it will accept and put minimal code into that file.

    For those who are struggling to get the initial foothold, be assured that I struggled for a very long time to get user on this box, and it was a great learning experience. If you've enumerated enough, the clues given in this forum are enough to get you there.

  • lol...madness. i've tried quite a bit of crap and can't get things executed.

    HE4DTR1P

  • edited July 2018

    PMs welcome. I'm tired of looking at this box.

    HE4DTR1P

Sign In to comment.