Bounty

Same for me - been at this 2 days. Multiple payloads, exif approach too. No joy :anguished:

Even just trying a very simple wshell way is not going anywhere…

Well now I feel like I’ve tried everything. Including: MSFVenom ASP payloads, echoing out a FTP script on the victim to download nc.exe, echoing out a wget.vbs script to try to transfer files, putting PowerShell scripts onto the victim to create a reverse shell…

I don’t understand how other people are transferring arbitrary files easily… I’ve exhausted every tool in my toolbox. I can’t get a reverse shell at all… any hints would be seriously appreciated.

@panic said:
Well now I feel like I’ve tried everything. Including: MSFVenom ASP payloads, echoing out a FTP script on the victim to download nc.exe, echoing out a wget.vbs script to try to transfer files, putting PowerShell scripts onto the victim to create a reverse shell…

I don’t understand how other people are transferring arbitrary files easily… I’ve exhausted every tool in my toolbox. I can’t get a reverse shell at all… any hints would be seriously appreciated.

This comment should be mine lol

FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

@panic said:
FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can’t manage to embed the payload within that particular file and have launch a reverse shell from that.

think about the platform bounty is running on.
And that goes from multiple angles… what web server is running and what kind of files are associated? and what OS is running and what can you do with that?

got user, but at a loss with the priv esc…

@0x23B said:

@panic said:
FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can’t manage to embed the payload within that particular file and have launch a reverse shell from that.

I would also appreciate a nudge on file upload. I have found a couple of allowed formats, but not sure if I can use them

Rooted, finally. pm if anyone needs hints

I have nt authority\system … but website says the hash I got is not correct for Bounty… hrmm… do I need to hunt around? or is something messed up?

Got Root! Great machine!
But can someone please pm me how you got meterpreter session? I was not able to get meterpreter at all…

First I tried to upload some webshell but I couldn’t manage to get it executed, so I tried some hello world script: same (http error 500) :frowning:

@techdad said:
website says the hash I got is not correct for Bounty… hrmm… do I need to hunt around? or is something messed up?

Predictably, after a reset I got a different hash that was fine.

To whomever uploads a modified flag file: you are a ^%&@%&#^%@&%**QWE&^*E!

the box unstable

@p1d0f said:
the box unstable

I think it is more the users/attackers that make it so when trying the same as you are doing

I am still working for several days now on this box, trying to get a shell running. I’ve tried several ways, but none of them work. My meterpreter shell gets the connection but quits after “Sending stage”, another reverse shell closes also immediately.

I know the server, the supported file type and the supported language, but the reverse shell part drives me crazy… Any hints?

Reverse shell seems a little bit tough and unstable.

I finally got the user and want to share some important steps with you

  • There are some rabbit holes!
  • Do a proper enumeration
  • When you find out what kind of data can be “injected”, you’re probably on the right track, keep going, there is more
  • It’s very easy to verify RCE (like “copy, paste, verify” - that kind of easy)
  • Now you have to find the right payload, which is not that easy, but possible. Shorter payloads will help you understand issues :wink:

Can anybody pm me,im so stupid-i can upload files,but cant take a shell or smth like that(