Dev0ops hints

I know what is running in background and i know code for that.

UPLOAD_FOLDER = ‘.’
ALLOWED_EXTENSIONS = set([‘xml’])
app = Flask(name)
app.config[‘UPLOAD_FOLDER’] = UPLOAD_FOLDER

def allowed_file(filename):
return ‘.’ in filename and
filename.rsplit(‘.’, 1)[1].lower() in ALLOWED_EXTENSIONS

But every single file i try i get Internal Server Error

pm me if u need help

Got user and shell, stuck on privesc. Looked back, changed some source, grabbed debug console, dropped rev shell - no luck escalating. Anyone want to drop a pointer in PM would be appreciated.

Just rooted! Quite fun… For those who are trying to root, check what packages/services are installed on that system which allows to ‘travel’ in time. Think about it maybe like kind of backup or similar solution. Find it, and then find what you can take from there.

I just didn’t understand how it got there - is it a real life scenario or it is applicable only on particular/rare cases?
Thanks to @lokori for creating such a good box

HI everyone, i enumerate then found the entry point and exploit it to read arbitrary files on the system. However even if i found hat a python package used is vulnerable (related to rick and morty) i definetively stuck with internal error when i try to get a reverse shell. Someone could help me ?

If anyone can help me with priv Esc on this box it would be nice. I think I have an idea but dont know how to look at the past.

Back from holidays!! Priv escalation was pending, and now… I got it. Before the holidays I was stuck, but after sun and beach it seems my view has become clear again. At this time I saw how to get root at first glance
Nice box @lokori , thank you

@ActivateD said:
If anyone can help me with priv Esc on this box it would be nice. I think I have an idea but dont know how to look at the past.

You are so close…
Just Google it, you will figure out…

Hint: (If it’s a spoiler, please remove it)
“Developers sometimes don’t like what they have done, and they make changes…”

@Hide0 said:
I know what is running in background and i know code for that.

UPLOAD_FOLDER = ‘.’
ALLOWED_EXTENSIONS = set([‘xml’])
app = Flask(name)
app.config[‘UPLOAD_FOLDER’] = UPLOAD_FOLDER

def allowed_file(filename):
return ‘.’ in filename and
filename.rsplit(‘.’, 1)[1].lower() in ALLOWED_EXTENSIONS

But every single file i try i get Internal Server Error

So you know the vulnerability type, and maybe you know the file structure to provide.
Why don’t you try to follow the file structure rule?
Maybe then you can search in OWASP this kind of vulnerability and use it with the needed structure.

@fasetto said:

@ActivateD said:
If anyone can help me with priv Esc on this box it would be nice. I think I have an idea but dont know how to look at the past.

You are so close…
Just Google it, you will figure out…

Thank you I will. I know the application just need to figure it out

@Kinjo said:
Hint: (If it’s a spoiler, please remove it)
“Developers sometimes don’t like what they have done, and they make changes…”

Yep yep

get the user , … trying to get RCE or a reverse shell. but i dont have any idea, i need a hint please,

@Ju577Ry If you are sure in the vulnerability but stuck in RCE, try to use different reverse shells.

@rocux i get the user without any RCE or reverse shell, but i don’t think that this method will help me to get an rce, or a reverseSh :confused:

@Ju577Ry there are some important files out there worth looking other than the user.txt itself.

@rocux so i need to gess the name of the file ?

@Ju577Ry no need guessing. Its already displayed on purpose.

@rocux may be dwssap\cte right?

@Ju577Ry said:
@rocux may be dwssap\cte right?

I had sent you a direct message. I hope I didn’t spoil anything without your permission.

I need some help with Priv Esc, I read back in time and I have a key but I think that I am still missing a piece of information. Can I DM someone ?