Hint for HELP

Managed to get user, working on priv esc now :slight_smile:

So I’m stuck on just getting user. I retrieved some creds from that high port service, logged into the web app using them.

Didn’t see much other than a little bit less blindness.

I did get a fixed up exploit to give me a helpful URL.

However I can’t seem to move past the filtering to execute my shellcode.

Should I have stuck with just the high-port service for getting a shell or is the web app the right direction?

Anyone have any php pages they’d recommend for filtering bypass ideas?

I’m assuming resets would also cover databases and that the challenge isn’t broken from others modifying it.

Fun box! My advice is to examine the upload code and the exploit code closely, and edit as needed – might have to do some manual experimentation. After finding your shell, it’s a quick step to root! Basic, basic enum.

Yeah, I got the upload code part and exploit code finds a URL. However, I can’t get RCE for a user shell.

Man, looks like lots of resets hitting now

i think i know what i need to do but i cant get around the upload filter it’s driving me nuts

I feel like I’m missing something on root…

Looks like someone is messing with the server and breaking the challenge. get a Forbidden message for the web app now.

Anyone have any good links for filter evasion tricks?

I’ve tried all the one’s that Google provided, but none of my ideas worked out.

rooted!
Machine was quite useful, although it is very basic it taught me to actually pay attention to the basics and stop skipping ■■■■. As soon as the route to r00t was hinted I figured out exactly what I did wrong and I won’t be doing that again!

Good machine though

spent hours working on the file extension bypass, including reading source code, any nudges would be appreciated as i’m going insane

Got a copy of the code from github running local. I can push up my payload local all day long, I can find it and execute it. NP. When pushing to help if I have that certain extension I get an error “File not allowed” if I push up with “filename.php.txt” I don’t but then I can’t execute the file I uploaded. it displays. WTF… Appears code has been modified from whats on github.

@Barn3y said:
Got a copy of the code from github running local. I can push up my payload local all day long, I can find it and execute it. NP. When pushing to help if I have that certain extension I get an error “File not allowed” if I push up with “filename.php.txt” I don’t but then I can’t execute the file I uploaded. it displays. WTF… Appears code has been modified from whats on github.

Removed

That moment when you’ve got user and are about to privesc, then the box gets reset and the identical path you used to get to where you were no longer works.

¯ _(ツ)_/¯

@rejoinder said:
That moment when you’ve got user and are about to privesc, then the box gets reset and the identical path you used to get to where you were no longer works.

¯ _(ツ)_/¯

I do not think there is really more than one path. What is suggested as a easy way basically does not work (at least on a fresh machine after reset). The difficult path seems to nicely reproducable.

Rooted. Cool box!

User:
There are indeed two ways to solve it: a) as an unauthenticated user (simpler) and b) as an authenticated user (harder, blind sqli, you have to find the credentials first). Adjust your scripts accordingly, and please, for the love of God, DO NOT rely on error messages.

Root:
Easier than user. It took me about 5 minutes to solve.

in some way, that box is misconfigured for the intended way, if there are intended ways in hacking…but it’s a nice box, I enjoyed it

I don’t understand why I did not find anything looking for file uploaded.
Is there a problem with time?

Rooted…Very simple Machine just initial part is little bit tricky.