Hint for HELP

As some others have said, running into restrictions on filetypes here. I’ve looked around at using null chars, multiple file extensions, checked thru the code that’s doing the validating, but no luck.

Is there a technique that you’re using to upload a certain filetype? Or was it just allowed on the box when you tried it?

rooted it. hint for root. if you done with most vulnhub machines. u cn root this easily. hahahahaa

■■■■, I spent too much time banging my head against the wall on some stupid mistakes. I went the easy (unauthenticated) route, since I couldn’t figure out the high port endpoint, and after reading the code I’m not sure how I was supposed to discover that other than a wild guess.

Hint for user: go read the code, seriously, pay close attention to it, don’t trust the exploit documentation over what you’re seeing, but the exploit code is correct.

Hint for root: I hate typing in the wrong window almost as much as I hate Caps lock.

Any hints for Priv Esec looked at searchsploit, keep getting an error on execution

./xxxxx
error invalid argument

executing from within a reverse python shell

rooted! Great Box! Credit to @Sekisback for hints
This box is 100% searching in google for specific exploits.
For User : i didn’t find any creds. just run the exploit on the right place.
For Root : basic exploitation

Finally root! I Really enjoy this box. Congrats to the creator, good fun!
Didn’t use N****** on port XXXX but i will give it a try.
User: Read the code, careful… don’t just use it as is… :wink:
Root: too easy… seriously, its that obvious.

removed

anyone care to drop a nudge? I’ve found the exploit (i guess) and i can bypass the file extension for the unauthenticated way, but it just doesn’t work. Maybe it has something to do about the time that everyone is talking about, but no clue :expressionless:

Edit: got it

Interesting machine - learnt a couple of new things. Thank you to the creator, @cymtrick. :smiley:

(12) 2 Days for this [ 99% of time = user, 1% of time = root ]
Special Thanks for one guy for his great explanation.

@clacky said:
As some others have said, running into restrictions on filetypes here. I’ve looked around at using null chars, multiple file extensions, checked thru the code that’s doing the validating, but no luck.

Is there a technique that you’re using to upload a certain filetype? Or was it just allowed on the box when you tried it?

Same boat here. Ive tried all the usual file upload bypasses. I have underlying DB access and can see that the allowed file types differs from the default install of the web app. No other users have less restrictions or another upload avenue. I cant get anything successfully uploaded with an executable extension.

With the current config that I am seeing there is no way that unauthenticated fire and forget upload script works…

The admin of this box is lazy and a troll, yet has immaculate restraint when it comes to reusing creds. Make of that what you will.

Anyone wanna PM hints to get > @vict0ni said:

anyone care to drop a nudge? I’ve found the exploit (i guess) and i can bypass the file extension for the unauthenticated way, but it just doesn’t work. Maybe it has something to do about the time that everyone is talking about, but no clue :expressionless:

Banging my head on this too. Anyone got any pointers, or any tips on how to get the user creds via the high port number service?

So succeded in gettin login credentials to platform via highport service. Any pointers on to bypass filters :)?

So, I was able to root the box but I don’t think I did it the way that it was intended to get the root flag. I would be interested in talking to someone on two things:

  1. Those that used the SQLi approach, was it successful? I couldn’t ever get it to work.
  2. Those who got the root flag how did you do it?

@ChiefCoolArrow said:

@clacky said:
As some others have said, running into restrictions on filetypes here. I’ve looked around at using null chars, multiple file extensions, checked thru the code that’s doing the validating, but no luck.

Is there a technique that you’re using to upload a certain filetype? Or was it just allowed on the box when you tried it?

Same boat here. Ive tried all the usual file upload bypasses. I have underlying DB access and can see that the allowed file types differs from the default install of the web app. No other users have less restrictions or another upload avenue. I cant get anything successfully uploaded with an executable extension.

With the current config that I am seeing there is no way that unauthenticated fire and forget upload script works…

interesting, if you have DB access couldn’t you add some rows?

This box is easy, I struggled a bit at first but was able to root it. Looking at the source code helped so as to know how to use the exploit. I tried both unauthenticated and authenticated ways and there was really no difference on how the exploit worked. Best time to try the box is immediately after a reset.

Otherwise I’m happy to provide hints if you’re stuck.

@ikuamike, how did you get around file upload restrictions for unauth exploit? I’m assuming you need to get a certain filetype onto the server to then run with that exploit?

@clacky said:
@ikuamike, how did you get around file upload restrictions for unauth exploit? I’m assuming you need to get a certain filetype onto the server to then run with that exploit?

Spoiler Removed

removed