@drywaterv2 said:
This machine requires XML knowledge doesn’t it?
I dont think so, I didn’t had any knowledge when i did the machine.
Google bro, it has answer to almost everything
Thought so myself, but wasn’t sure what scripts to use. Tried some but I don’t know how I can get around the internal server error. Sorry for the stupid remark
@drywaterv2 said:
This machine requires XML knowledge doesn’t it?
I dont think so, I didn’t had any knowledge when i did the machine.
Google bro, it has answer to almost everything
Thought so myself, but wasn’t sure what scripts to use. Tried some but I don’t know how I can get around the internal server error. Sorry for the stupid remark
The moment you think “No one is that stupid, could it really be that easy, maybe they just forgot…” you are exactly where you need to be. Got root and now I need to try harder at not trying so hard…
@OroJackson said:
Hi, i don’t the way to insert some xml reverse or something like that, some hint pls.
you’re on the right way. find the right “Injection” point if you already found the page, read it carefully…and remember, “good family is a father with three sons”.
@drywaterv2 said:
This machine requires XML knowledge doesn’t it?
I dont think so, I didn’t had any knowledge when i did the machine.
Google bro, it has answer to almost everything
Thought so myself, but wasn’t sure what scripts to use. Tried some but I don’t know how I can get around the internal server error. Sorry for the stupid remark
@otaman can you help me pls? Now i tried upload msfvenom payload.xml and after that used burp suite forward but with *.php.xml but the page said INTERNAL SERVER ERROR.
Can someone PM me on the main website about the XML injection… Uploaded an xml script but I’m getting internal server error, tried curl but to no avail, I have no idea what to do
@prutz said:
Got user, can someone PM how I should’ve found the place to upload? Did some random guess work. Maybe shouldve ran my buster a bit longer?
I ran dirbuster, gobuster and dirb, there are only 2 directories (f*** and u*****)
@prutz said:
Got user, can someone PM how I should’ve found the place to upload? Did some random guess work. Maybe shouldve ran my buster a bit longer?
I ran dirbuster, gobuster and dirb, there are only 2 directories (f*** and u*****)
you are ritgh
@prutz said: @drywaterv2 make sure the format is correct, try to upload a XML without malicious payload first. Also, read carefully.
I have the same problem, i uploaded but the page don’t say if the file load successfull or not. how do you know that is working?
Got root on the box. Thanks @lokori for the interesting challenge. Got stuck for quite a while on the initial entry into the system, but eventually figured it out
@prutz said:
Got user, can someone PM how I should’ve found the place to upload? Did some random guess work. Maybe shouldve ran my buster a bit longer?
I ran dirbuster, gobuster and dirb, there are only 2 directories (f*** and u*****)
you are ritgh
@prutz said: @drywaterv2 make sure the format is correct, try to upload a XML without malicious payload first. Also, read carefully.
I have the same problem, i uploaded but the page don’t say if the file load successfull or not. how do you know that is working?
If you upload an XML it will always give the internal server error. You’ve got to look inside the page, but i haven’t found anything useful myself
@prutz said:
Got user, can someone PM how I should’ve found the place to upload? Did some random guess work. Maybe shouldve ran my buster a bit longer?
I ran dirbuster, gobuster and dirb, there are only 2 directories (f*** and u*****)
you are ritgh
@prutz said: @drywaterv2 make sure the format is correct, try to upload a XML without malicious payload first. Also, read carefully.
I have the same problem, i uploaded but the page don’t say if the file load successfull or not. how do you know that is working?
If you upload an XML it will always give the internal server error. You’ve got to look inside the page, but i haven’t found anything useful myself
You need read, was harder for me interpret but know we some help i have a user but i am stuck again.
When you start to enumerate files for priv.esc., you realize that there are lots of lots places and users(!) to look and you are saying “wow, hmm what is happening here??”
Lets talk about time machine: I hope that you are not talking about the most basic past tense file at user folders, if it is, i rode that file aproximately 5-10 times, I am suprized about what is he doing again and again…
And also no one is talking about .sh files(not run… ones), I spent my most time about those sh files, and searching about the very known command at that sh files, but always getting authentication errors.
Now I am asking that am I at correct path or I should start all from the beginning??
Edit: Answer to my question by myself Yes I was at right path but forget about .sh files. I realized that I was also reading that time machine file before getting user.txt. I just didnt think that comment was so much important !!! Yess rooted !!! Thanks to @wilsonnkwan for the hint…