Canape

@kekra said:
Great box - no ‘obvious guesses’ involved, you can build up the ‘exploit’ step by step.

Seems I was lucky with the reverse shell - it worked right away and as very stable, so I did not try to work around the ‘remaining expected error’. My advice is to 1) build up a non-malicious pe gradually, so that you can be sure that the server unps it nicely. 2) Then add a payload and keep it as simple as possible.

As others have said, create your own scripts to replicate what the server does. If you review the code see how you can ‘activate’ / ‘deactivate’ a payload so that you might tell issues with encoding etc. from issues with the actual payload.

For escalating to user: Don’t be too aggressive with published exploits, just look around :slight_smile: Escalation to root - no surprises: Follow the standard procedure, google a bit.
My payload works fine: Server gives me quote response
My malicious code works file: I tested with function (the same function in source code)
My payload with malicious code give me 500 error
I saw response result and i think i saw the problem but i don’t know what to do next. Thanks for hint!

Nice weekend at the beach, some head-clearing was necessary. Just wondering if I should ‘check’ the ‘id’ to get at something…

Got root without any exploits. :+1:

I have only found 2 service so far. Tried DIRbust , no result. Do i have to enumerate more on nmap? Seems like theres another service that i am missing out.

Anybody here to help with the payload…??

is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter …tried many injection techniques …can’t verify its vulnerable or not…any hints pls…))

@batman786 said:
is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter …tried many injection techniques …can’t verify its vulnerable or not…any hints pls…))

Enumerate more and then revisit the form. You’ll see the light and understand how to check it

@TheSecEng said:

@batman786 said:
is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter …tried many injection techniques …can’t verify its vulnerable or not…any hints pls…))

Enumerate more and then revisit the form. You’ll see the light and understand how to check it

Its couchdb right… Its kinda hard to exploit…))

@batman786 said:

@TheSecEng said:

@batman786 said:
is the submit form vulnerable or not ?? 1st parameter checks for a regex name matching and the 2nd parameter …tried many injection techniques …can’t verify its vulnerable or not…any hints pls…))

Enumerate more and then revisit the form. You’ll see the light and understand how to check it

Its couchdb right… Its kinda hard to exploit…))

Use a very popular tool to enumerate the server again…more thoroughly

@TheSecEng and @dirtychai thanks for help …found what you were talking about …should have focused more on vulnhub challenges…))

Ah root. Awesome box by @overcast! If you need hints, pm me.

I can’t believe it took me so long to get user.txt after initial foothold. I had access to the right place, but overlooked a crucial and glaring repository of information that was staring me in the face! Don’t overlook things just because you’re looking for an RCE exploit! You might miss something important. Finally got user!

Back at this after a week of taking break. I could recreate the page locally, I can see the history and what seems to be a vulnerable URL. I can get it do the ‘correct’ thing but I am stuck on that.

Rooted at last:))
Anyone need a hint can PM on every stage

I’m sure I enumerated anything I can find, still stuck on foothold… :confused: any hint or anyone I can DM to show what I found ?

ARGH! :slight_smile:

Can anyone give me a nudge?

I have a working payload… but the pesky character prefix is giving me a pickling headache!

@Bear said:
ARGH! :slight_smile:

Can anyone give me a nudge?

I have a working payload… but the pesky character prefix is giving me a pickling headache!

Nevermind… worked it out… xD

any one pm me for the initinalfoothold :slight_smile:

Eeek… running the flask… I see the problem with the reverse shell and the normal methods! Back at it tomorrow!

Out of ideas how to gain a foothold/get a shell - any hints on PM would be appreciated, don’t spoon feed me if you do, just a nudge. Google thinks i’m an automated bot for the amount of searches i’ve done today…

Can’t really understand how I’m supposed to get something to run when it can’t find imports, can’t import by filename and it can’t find things to do eval as can’t find that either… hopefully that’s not a spoiler for someone, it could just be that i’m doing it wrong.

Eyes are burning from the fail.