Hint for HELP

I feel like I’m missing something on root…

Looks like someone is messing with the server and breaking the challenge. get a Forbidden message for the web app now.

Anyone have any good links for filter evasion tricks?

I’ve tried all the one’s that Google provided, but none of my ideas worked out.

rooted!
Machine was quite useful, although it is very basic it taught me to actually pay attention to the basics and stop skipping ■■■■. As soon as the route to r00t was hinted I figured out exactly what I did wrong and I won’t be doing that again!

Good machine though

spent hours working on the file extension bypass, including reading source code, any nudges would be appreciated as i’m going insane

Got a copy of the code from github running local. I can push up my payload local all day long, I can find it and execute it. NP. When pushing to help if I have that certain extension I get an error “File not allowed” if I push up with “filename.php.txt” I don’t but then I can’t execute the file I uploaded. it displays. WTF… Appears code has been modified from whats on github.

@Barn3y said:
Got a copy of the code from github running local. I can push up my payload local all day long, I can find it and execute it. NP. When pushing to help if I have that certain extension I get an error “File not allowed” if I push up with “filename.php.txt” I don’t but then I can’t execute the file I uploaded. it displays. WTF… Appears code has been modified from whats on github.

Removed

That moment when you’ve got user and are about to privesc, then the box gets reset and the identical path you used to get to where you were no longer works.

¯ _(ツ)_/¯

@rejoinder said:
That moment when you’ve got user and are about to privesc, then the box gets reset and the identical path you used to get to where you were no longer works.

¯ _(ツ)_/¯

I do not think there is really more than one path. What is suggested as a easy way basically does not work (at least on a fresh machine after reset). The difficult path seems to nicely reproducable.

Rooted. Cool box!

User:
There are indeed two ways to solve it: a) as an unauthenticated user (simpler) and b) as an authenticated user (harder, blind sqli, you have to find the credentials first). Adjust your scripts accordingly, and please, for the love of God, DO NOT rely on error messages.

Root:
Easier than user. It took me about 5 minutes to solve.

in some way, that box is misconfigured for the intended way, if there are intended ways in hacking…but it’s a nice box, I enjoyed it

I don’t understand why I did not find anything looking for file uploaded.
Is there a problem with time?

Rooted…Very simple Machine just initial part is little bit tricky.

Hmm my file upload used to work and now it does not? Has anyone experienced this problem?

Edit: Figured it out. There was an issue with the file I was uploading.

@Spiderixius said:
Hmm my file upload used to work and now it does not? Has anyone experienced this problem?

It should not work.

Spoiler Removed

Also I have rooted it. PM for hints if needed.

Rooted, for a box of 20 points it’s not easy at all.

I’ve done two methods of getting into the webapp as an unprivileged user and as an administrator.

With the second method do I get a shell using a similar method as without auth or is there another way?

I want to explore more ways than just the unauth way.

I used the blind SQL way to get administrator in the webapp. Is there a particular method besides similar to the easy way to go after a shell?

If the easy way didn’t exist as a vuln but the sql injection still did should I expect to find a way to shell?

I want to make sure I practice the intended ways fully.