Hint for HELP

spent hours working on the file extension bypass, including reading source code, any nudges would be appreciated as i’m going insane

Got a copy of the code from github running local. I can push up my payload local all day long, I can find it and execute it. NP. When pushing to help if I have that certain extension I get an error “File not allowed” if I push up with “filename.php.txt” I don’t but then I can’t execute the file I uploaded. it displays. WTF… Appears code has been modified from whats on github.

@Barn3y said:
Got a copy of the code from github running local. I can push up my payload local all day long, I can find it and execute it. NP. When pushing to help if I have that certain extension I get an error “File not allowed” if I push up with “filename.php.txt” I don’t but then I can’t execute the file I uploaded. it displays. WTF… Appears code has been modified from whats on github.

Removed

That moment when you’ve got user and are about to privesc, then the box gets reset and the identical path you used to get to where you were no longer works.

¯ _(ツ)_/¯

@rejoinder said:
That moment when you’ve got user and are about to privesc, then the box gets reset and the identical path you used to get to where you were no longer works.

¯ _(ツ)_/¯

I do not think there is really more than one path. What is suggested as a easy way basically does not work (at least on a fresh machine after reset). The difficult path seems to nicely reproducable.

Rooted. Cool box!

User:
There are indeed two ways to solve it: a) as an unauthenticated user (simpler) and b) as an authenticated user (harder, blind sqli, you have to find the credentials first). Adjust your scripts accordingly, and please, for the love of God, DO NOT rely on error messages.

Root:
Easier than user. It took me about 5 minutes to solve.

in some way, that box is misconfigured for the intended way, if there are intended ways in hacking…but it’s a nice box, I enjoyed it

I don’t understand why I did not find anything looking for file uploaded.
Is there a problem with time?

Rooted…Very simple Machine just initial part is little bit tricky.

Hmm my file upload used to work and now it does not? Has anyone experienced this problem?

Edit: Figured it out. There was an issue with the file I was uploading.

@Spiderixius said:
Hmm my file upload used to work and now it does not? Has anyone experienced this problem?

It should not work.

Spoiler Removed

Also I have rooted it. PM for hints if needed.

Rooted, for a box of 20 points it’s not easy at all.

I’ve done two methods of getting into the webapp as an unprivileged user and as an administrator.

With the second method do I get a shell using a similar method as without auth or is there another way?

I want to explore more ways than just the unauth way.

I used the blind SQL way to get administrator in the webapp. Is there a particular method besides similar to the easy way to go after a shell?

If the easy way didn’t exist as a vuln but the sql injection still did should I expect to find a way to shell?

I want to make sure I practice the intended ways fully.

I obtained root, but it felt like I was doing so reusing the easy way even though I did use the SQL method.

Assuming the easy way didn’t exist but SQL method did anyone could PM tips on how you would go about getting a shell?

For those of you unable to escape for reverse shell, read the code and ask yourself “do I really need to escape?”

machine always got reset while iam using sqlmap :disappointed_relieved:

Can someone confirm the time travel year is 2 years prior to the release of war games staring Matthew Broderick ?