Teacher

there is something weird, when I use Hydra with username G******* i got different password found but those password arent working, when i brute force again i found another password when i try it, itsnt work, can u please give me a hint…

Guys. Trying for RCE to all the file upload functionality after login to m***** but failed. Am in in rght way for shell? please suggest.

Root shell, happy to PM if you are completely stuck.

If you’re exasperated with this box, go back to your enumeration workflow and tools and fix them. This did not require a lot of manual work at any stage.

Got the root flag. Good box. The user flag was harder to get imo.

Got root/shell in a really destructive way.
I’m sure there’s a less destructive way using --c* , but I’ve been unable to get it to work. Is this a red herring?

hi guys,
I managed to login as gi** ,

I tried to figure where is the RCE, since when I upload a shell I cant run it instead download .

Can anyone help me with RCE please, ive read the blog, but have no idea what to do…

@masterrabbit said:
Can anyone help me with RCE please, ive read the blog, but have no idea what to do…

on same boat

@masterrabbit said:
Can anyone help me with RCE please, ive read the blog, but have no idea what to do…

PM me; telling me what you’ve tried so far and I’ll give you a nudge if you’re on the right track.

Could anybody drop me a PM? I’m going for the user as I already have a reverse shell. I guess that giovanni’s password has to do something with a well known system of modified spellings used primarily on the internet… Any help would be of great use.

Ditto on the above. Struggling to escalate to user account… Hints please?!

Boshed this one on the head the other day, found a couple ways - one i think was a bit Dirty and not intended

Anyone out there who got wild with this one care to PM me ? - as I said I’ve already got the flag, I’m just interested how you got it to work. I tried all kinds of variation + tried recreating it on a local machine but no joy.

Hello! I am logged into the system trying to be as evil as possible but my php sucks and no matter how much I read this I can’t get anything to run. I’m trying with simple things like ‘cat’ (exactly as the video) and editing the place of injection I am just getting errors or no results.

Could anyone give me a nudge on the format of how to get this working with something simple like ‘cat’/‘id’/etc?

Thanks!

edit: I’m getting something at least, the page loads with ‘;;’ showing before reloading itself, so… I’m doing SOMEthing on the server side at least

edit2: alright, got RCE, time for code execution. thanks @LegendarySpork for the tip on encoding, saved me so much headache

Phew! Pleased to say I’ve finally graduated :wink: and rooted teacher! Every step of the way seemed to take ages, and I thought I’d never manage to finish this one! Lol! Despite my frustrations I’ve learnt a ton, so thanks very much to the creator. :slight_smile: Thanks also to @marvin7408 for a nudge on moving from the svc account to giovanni. I was trying to over complicate things, but should have kept it simpler. Quite enjoyed root once I’d got over my confusion about the actual directories that were used by the “thing”.

@Hetraun said:
Got root/shell in a really destructive way.
I’m sure there’s a less destructive way using --c* , but I’ve been unable to get it to work. Is this a red herring?

–c* may not work here (although I may be of course wrong). A really destrctive way did not work for me (could 't have made it work). What worked was "a bit destructive) for a very short period of time -:slight_smile:

Guys don’t forget to clean up or resetting the box after work done…
I just got in the box where I am supposed to be www-data and I was root user already.

@m4rc1n said:

@Hetraun said:
Got root/shell in a really destructive way.
I’m sure there’s a less destructive way using --c* , but I’ve been unable to get it to work. Is this a red herring?

–c* may not work here (although I may be of course wrong). A really destrctive way did not work for me (could 't have made it work). What worked was "a bit destructive) for a very short period of time -:slight_smile:

I wasn’t able to make --c* work here, however there is another shell globbing trick which does work and can result in a root shell without impacting anything outside of /home/g*******.

@deviate said:

@m9rcin said:

@Hetraun said:
Got root/shell in a really destructive way.
I’m sure there’s a less destructive way using --c* , but I’ve been unable to get it to work. Is this a red herring?

–c* may not work here (although I may be of course wrong). A really destrctive way did not work for me (could 't have made it work). What worked was "a bit destructive) for a very short period of time -:slight_smile:

I wasn’t able to make --c* work here, however there is another shell globbing trick which does work and can result in a root shell without impacting anything outside of /home/g*******.

This is interesting. I did not use --c* (again I thing it is rather not possible here) but there was another simple trick available in the same area. However I did not impact negatively anything and definitely not /home/g*******
PM me if you want to discuss details.

Has anyone on VIP had problems with false positives while using burp for m*****?
Hydra worked perfectly on the other hand.

Rooted.
I found this box a struggle. Still dont get how I got root… I need to spend more time learning this!! I may go back and do it later or just read some write ups…

PM me and I can give you a few hints if you need it.