Bounty

Rooted today. Fun ride and lessons learnt on this one. Be aware of architecture!

Rooted after one month. And the reason for that is simply lack of knowledge and experience.
So if you you cannot get user/root - try harder and learn more. Take a break (I did four or five different boxes meanwhile).
Read the tutorials for the exploiting Windows, in the end you find out that this box is not the rocket science.

BTW I can see on the “Page info” of the web this:
Have I visited this website prior to today? Yes, 1 491 times :wink:

So be patient and GL, I go for beer…or three:)

@AgentTiro said:
If you think you have RCE, how about pinging yourself and watching for the traffic with wireshark?

yeah was able to ping myself… got something wrong with the coding and ended up getting the text to display. Got user! Working on RCE now…

Got a wShell to do RCE with, but cannot find user for the life of me, have gone up and down all these directories. Can anyone give me a tip?

Need some advice getting initial foothold. Think i have the URL but not sure… Please PM me.

Can somebody PM me with some help on the parameters for RCE? I’ve got the right file extension and am uploading what I assume to be the right file but keep getting 500 errors.

got root !

PM if needed

also finally got root… pm if you need a nudge. this box was verrrrry touchy with the commands… things would just stop working if I missed a single quote, etc.

Spoiler Removed - Arrexel

I cannot even get a user on this. I already have wasted 5 days, and I have not get the user flag yet. Reading the posts from this topic, I understand that I have to find a secret page that will help me upload my payload. I tried with wfuzz and dirbuster all the wordlists regarding asp.net that I could find, but so far I could not get access. Any hint ?

I know where it goes but I’m not sure how to build it and then trigger it. I’ve read all these posts and I’ve tried different arch but I think I’m too n00b to understand. Anyone willing to PM about building and then triggering? I would appreciate it!

I have created payload and can successfully browse through the website, but where the ■■■■ is user.txt?

Hello,
Guys could you pls give me a hint.
I ran dirb, nikto and gobuster with different wordlists (common.txt, big.txt, something.medium.txt). Have found two directories to which I do not have access “Forbidden”. Would appreciate a hint.

I keep getting internal error 500 .Tried a lot of combinations nothing worked .Please help

The box seems so unstable, getting different responses all the time… Is this correct?

@WillIWas said:
The box seems so unstable, getting different responses all the time… Is this correct?

yea that box can seem unstable, at times and a bit temperamental . do you have any shell access etc?

@mizzion said:

@WillIWas said:
The box seems so unstable, getting different responses all the time… Is this correct?

yea that box can seem unstable, at times and a bit temperamental . do you have any shell access etc?

No, I just started, found som gui, but it disappeared and I can’t get it back

Messed up my dirb search aswell… annoying

@WillIWas said:
Messed up my dirb search aswell… annoying

if you read all the posts on this thread you will work out what scans to run for a successful recon phase which will lead to your foothold