Carrier

Wow! It was an amazing machine and it made me learn so much. Huge thanks to @jkr and @pikey301 for leading to clue.

Can someone give me advice on RCE with this plz? I’m new to this sort of scenario. I understand it’s to do with the V***** S***** on the D********** page but I’m unsure how to execute.

@tiger5tyle said:
Can someone give me advice on RCE with this plz? I’m new to this sort of scenario. I understand it’s to do with the V***** S***** on the D********** page but I’m unsure how to execute.

There is a button on the webpage that executes a query/command…
Find out how to add your own cmd (using the same language spoken) and listen

I’m stuck as root on first shell.
Network enumerated, playing with vth, dumping the packets with t***p and analysing but can not figure out a attack…

I believe I am almost there but need a nudge to guide, anyone please?

It took me more time to get user than root. I think torking as a net admin gave me an advantage.
What I don’t know now is what to do with ‘secretdata’ I’m sure it has something to do with the prince. Any suggestions?

any hint on RCE? except for parameter name and encoding…

Can someone PM me a hint for the RCE part? I’ve identified where to exploit it, I think I’ve traced out what’s going on when the button is clicked, but everytime I try to encode (and I’ve tried several different encodings) a command to be executed, I get no output.

any hint on RCE? except for parameter name and encoding…

@nergalwaja said:
Can someone PM me a hint for the RCE part? I’ve identified where to exploit it, I think I’ve traced out what’s going on when the button is clicked, but everytime I try to encode (and I’ve tried several different encodings) a command to be executed, I get no output.

same here , couldnt get it to exec…

@nergalwaja said:
Can someone PM me a hint for the RCE part? I’ve identified where to exploit it, I think I’ve traced out what’s going on when the button is clicked, but everytime I try to encode (and I’ve tried several different encodings) a command to be executed, I get no output.

same here , couldnt get it to exec…

@nergalwaja said:
Can someone PM me a hint for the RCE part? I’ve identified where to exploit it, I think I’ve traced out what’s going on when the button is clicked, but everytime I try to encode (and I’ve tried several different encodings) a command to be executed, I get no output.

try to append to the what you have. Instead of giving as new command. that may work.

I am stuck after getting root shell. Not very well versed in networking.
I`ve tried some tc****p and some t*****.
Can someone give me a hint or PM me please?

@guihle said:
I am stuck after getting root shell. Not very well versed in networking.
I`ve tried some tc****p and some t*****.
Can someone give me a hint or PM me please?

me too.

If anyone would mind showing me how to get the shell. I know what I am meant to be doing ie fiddling with the parameter using q**gga. but I don’t know HOW to do it using Burp. Can anyone help a noob?

@EvilMonkee said:
If anyone would mind showing me how to get the shell. I know what I am meant to be doing ie fiddling with the parameter using q**gga. but I don’t know HOW to do it using Burp. Can anyone help a noob?

Append your command there and get the shell.
If it’s still not happening. PM me.

Thanks to @sesha569 for the help - knew what to do but just needed a shove over the edge. User obtained now onto getting a more permanent shell. Thanks dude

Can someone help me on the priv escalation. I am pretty much newbie in routing stuff. So stuck bd.cf edits or changes. I saw B** H***** blogs or videos. But not able to change and listen back or get the root. Can someone help with that? thanks.

Can someone point me in the right direction? I can get s*** but not s** commands to redirect the V*P PS. I have reverse-shell access and I found the initial service needed to start tc changes.

using l**t was frustrating to see what it revealed.

(1) It took 2 days to get user part.

@sesha569 said:
Can someone help me on the priv escalation. I am pretty much newbie in routing stuff. So stuck bd.cf edits or changes. I saw B** H***** blogs or videos. But not able to change and listen back or get the root. Can someone help with that? thanks.

I’m on the same boat…

How the ■■■■ on earth to do priv escalation on this box … any hints guys … read everything about B** Hac**** . Got vt*** shell … changed every possible flow but i have nothing in hand to look at :confused: i have spent 5 days only on priv escalation …