Hint for HELP

Ok, so i have been sitting a while trying to get a shell. Could someone PM me so i can find out if my method is not a waste of my time? (Don’t want any spoilers) Cause i feel my method is the way to go.

are we supposed to get creds? cause i seem to be failing on that
also the unauthenticated exploit is not working (maybe modification is needed?)

Could I get a hint please? Ticket portal or JOSN page?

You can use one or the other. There is at least two ways you can go.

hints on privesc?

Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

hint for root please :frowning:

Got half the user… need some tips for finding the rest?

@r0tt3d said:
Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

I really can’t say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you’ll be very surprised at what you find.

deleted

@opt1kz said:

@r0tt3d said:
Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

I really can’t say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you’ll be very surprised at what you find.

That is a good hint :slight_smile:

It seems I bypassed the file extensions upload for my php session, but I have not idea where its uploaded to. Looking through the GitHub I dont see anything.

Took me a while to know I had to time travel, I feel discriminated.

@vanquish said:
It seems I bypassed the file extensions upload for my php session, but I have not idea where its uploaded to. Looking through the GitHub I dont see anything.

Look harder. It tells you where to look if you’re reading the code.

Edit: Found it. Nice box with little frustration on error msg. Interested to know the other way to get the user.

@GrafEisen said:
Took me a while to know I had to time travel, I feel discriminated.

Exactly… not unless you live in a UTC time zone XD

IIRC the time() command in PHP and time.time() in python return UTC.

@jkr said:
IIRC the time() command in PHP and time.time() in python return UTC.

You still have to time travel a little bit, or adjust the exploit, which is what I did :wink:

But it does not have to do with timezones but with poorly synced clocks?

@jkr said:
IIRC the time() command in PHP and time.time() in python return UTC.

Weird, if I check the source that worked and time.time() I do get the same value, but time.time() is still not working. I guess it only wanted me to work more.