Bounty

Rooted. Box was unstable during the privesc.

Hello, I found the url where upload the payload in the correct format.
i can see the uploaded file but I can’t get the reverse shell to work… any hint?

it’s so unstable… but rooted at last. first ‘sucks’ rate i gave here

UPDATE: rooted… can’t imagine how many times I clicked the ‘Upload’ button

It’s normal some files present a http error 500? sometimes it change to 403. is this box stable?

got rce, cant find user.txt in the desktop/documents.
help?

Finally got this after over a week + and leaving and coming back a few times

hints… just keep at it… find the intial foot hold via searchign folders and files/pages that would run on this type of web server you find one of each …

then work on payload and seeing what files work… go small and simple and then make it complex… any errors will through 500 and ruin your day and frusterate the ■■■■ out of you… Also, keep in mind lots and lots of others are doing the same things as you…which will over write your files and ■■■■ you off… lol… this will screw you up… also use private/no cookie/cach mode on browser/tools…keep trying think about it and then do it later… don’t just keep hammering away wonder wtf is giong on and why your files are missing/going away.

after you get shell and rce the fun begins… think what type of system it is…the type of shell you have and then try and search for exploit for this system… the archecture plays a big part in this system x86 x64… think about it all and keep at it.
pm if you want.

Woohoo! Finally rooted! M********t got me over the hump. Take note of the previous hints.

For Privilege Escalation you can use 2 exploits. After rooting the Bounty i read the WriteUPs in Github and all of them use the same exploit but i found another one

Rooted!. Anyone could did it without M******r?

RCE not stable enough to for me to find anything i might just move on to another box tbh. I’ve been mashing that upload button for too long

Rooted as well, Wondering if there are other methods apart from the easy exploit

Well that was super annoying. I’ve rooted the box finally. Getting a shell was a wee bit tricky and with some suggestions from others helped me get the right command - this should be the hard part though.

Priv Esc according to those who have done it is supposedly super easy. It wasn’t so for me. Despite having done the same exploit as those who have done it (via the writeup on github (need root.txt as password) - I can see I have used the exact same exploit as them however for whatever reason it did not work for me and I have no idea why.

So I spent a painfully long time trying to figure out where I was going wrong with increasingly complicated ways of trying to exploit.

Anyway, got system in the end using a different exploit - so to answer @halfluke - yes there’s a different way to exploit it. It’s harder to find but it worked for me in the end. Phew. From writeup’s others have done, it is easy. I followed the same path, but didn’t work for me.

I’ll have to reset box and see if I can do it again with that easy exploit and see where I went wrong. Good to learn.

Good box to learn about getting an initial foothold using something that many tend to overlook (even I’m guilty of this).

I think I have the idea about what to do. anyone there to help me to check if I am doing it right?

Hello guys, I’m in the very beginning with this machine :frowning:
The only thing I found about bounty are two folders, but couldn’t find anything inside.
Some good soul can help me with hints? I’m scanning the host now, trying to find files, but the lists I’m using (or maybe the extensions) find nothing!!
In PM, or here on the forum, I’ll be very happy to have some help!
Thank you!

Would like to thank @0zcool for his help! Finally got root!!! :smiley: PM if anyone needs help!

@CHUCHO said:
Rooted!. Anyone could did it without M******r?

I rooted it without Meterpreter but I used Meterpreter to get a shell :slight_smile:

Hi guys! Could you please give me a hint of Bounty machine? I tried to use dirb with iis and extension wordlist but it didn’t work. Please PM me!
Thank you!

@nhanlh1493 said:
Hi guys! Could you please give me a hint of Bounty machine? I tried to use dirb with iis and extension wordlist but it didn’t work. Please PM me!
Thank you!

same dificulties here bro, if someone help you, please help me too!

@nhanlh1493 said:
Hi guys! Could you please give me a hint of Bounty machine? I tried to use dirb with iis and extension wordlist but it didn’t work. Please PM me!
Thank you!

Enumerate webserver and header. Once you have that find associated file extensions and let dirbuster do the work.