Bounty

Rooted ! Was very hard for me, windows is complety out of my comfort zone…
For user: (Hate this) Enumerate again, google is you’r friend, check what you can upload :smiley: .
One advice for privesc, if u wanna do this via Met******t, check the architecture of what are you workin’ on :smiley:

Cheers !

had user 2 months ago before having other urgent things to focus on. Getting the initial foothold again was annoying until I remembered my notes. This thread contains plenty of info if you are stuck. Keeping a steady shell and getting to root was quite a bit easier with use of certain windows utils that are available by default.
Nice box.

Is there a trick to get a file upload to stick? I had a working upload earlier and got a stable shell, but now the same file isn’t working. Help!

Edit: Got root.txt. Still really confused as to why sometimes the upload sticks and other times not. Had better luck on free than vip.

None of my RCE seems to work, Im al little bit confuse too right now hahaha

Having some trouble figuring out how to format the upload. I’m aware of the extensions it allows, but is giving me cannot be displayed because it contains errors. Would be greatly appreciated if someone could PM and give me an idea on next steps.

Rooted. Box was unstable during the privesc.

Hello, I found the url where upload the payload in the correct format.
i can see the uploaded file but I can’t get the reverse shell to work… any hint?

it’s so unstable… but rooted at last. first ‘sucks’ rate i gave here

UPDATE: rooted… can’t imagine how many times I clicked the ‘Upload’ button

It’s normal some files present a http error 500? sometimes it change to 403. is this box stable?

got rce, cant find user.txt in the desktop/documents.
help?

Finally got this after over a week + and leaving and coming back a few times

hints… just keep at it… find the intial foot hold via searchign folders and files/pages that would run on this type of web server you find one of each …

then work on payload and seeing what files work… go small and simple and then make it complex… any errors will through 500 and ruin your day and frusterate the ■■■■ out of you… Also, keep in mind lots and lots of others are doing the same things as you…which will over write your files and ■■■■ you off… lol… this will screw you up… also use private/no cookie/cach mode on browser/tools…keep trying think about it and then do it later… don’t just keep hammering away wonder wtf is giong on and why your files are missing/going away.

after you get shell and rce the fun begins… think what type of system it is…the type of shell you have and then try and search for exploit for this system… the archecture plays a big part in this system x86 x64… think about it all and keep at it.
pm if you want.

Woohoo! Finally rooted! M********t got me over the hump. Take note of the previous hints.

For Privilege Escalation you can use 2 exploits. After rooting the Bounty i read the WriteUPs in Github and all of them use the same exploit but i found another one

Rooted!. Anyone could did it without M******r?

RCE not stable enough to for me to find anything i might just move on to another box tbh. I’ve been mashing that upload button for too long

Rooted as well, Wondering if there are other methods apart from the easy exploit

Well that was super annoying. I’ve rooted the box finally. Getting a shell was a wee bit tricky and with some suggestions from others helped me get the right command - this should be the hard part though.

Priv Esc according to those who have done it is supposedly super easy. It wasn’t so for me. Despite having done the same exploit as those who have done it (via the writeup on github (need root.txt as password) - I can see I have used the exact same exploit as them however for whatever reason it did not work for me and I have no idea why.

So I spent a painfully long time trying to figure out where I was going wrong with increasingly complicated ways of trying to exploit.

Anyway, got system in the end using a different exploit - so to answer @halfluke - yes there’s a different way to exploit it. It’s harder to find but it worked for me in the end. Phew. From writeup’s others have done, it is easy. I followed the same path, but didn’t work for me.

I’ll have to reset box and see if I can do it again with that easy exploit and see where I went wrong. Good to learn.

Good box to learn about getting an initial foothold using something that many tend to overlook (even I’m guilty of this).

I think I have the idea about what to do. anyone there to help me to check if I am doing it right?

Hello guys, I’m in the very beginning with this machine :frowning:
The only thing I found about bounty are two folders, but couldn’t find anything inside.
Some good soul can help me with hints? I’m scanning the host now, trying to find files, but the lists I’m using (or maybe the extensions) find nothing!!
In PM, or here on the forum, I’ll be very happy to have some help!
Thank you!