Hint for HELP

anyone care to drop a nudge? I’ve found the exploit (i guess) and i can bypass the file extension for the unauthenticated way, but it just doesn’t work. Maybe it has something to do about the time that everyone is talking about, but no clue :expressionless:

Edit: got it

Interesting machine - learnt a couple of new things. Thank you to the creator, @cymtrick. :smiley:

(12) 2 Days for this [ 99% of time = user, 1% of time = root ]
Special Thanks for one guy for his great explanation.

@clacky said:
As some others have said, running into restrictions on filetypes here. I’ve looked around at using null chars, multiple file extensions, checked thru the code that’s doing the validating, but no luck.

Is there a technique that you’re using to upload a certain filetype? Or was it just allowed on the box when you tried it?

Same boat here. Ive tried all the usual file upload bypasses. I have underlying DB access and can see that the allowed file types differs from the default install of the web app. No other users have less restrictions or another upload avenue. I cant get anything successfully uploaded with an executable extension.

With the current config that I am seeing there is no way that unauthenticated fire and forget upload script works…

The admin of this box is lazy and a troll, yet has immaculate restraint when it comes to reusing creds. Make of that what you will.

Anyone wanna PM hints to get > @vict0ni said:

anyone care to drop a nudge? I’ve found the exploit (i guess) and i can bypass the file extension for the unauthenticated way, but it just doesn’t work. Maybe it has something to do about the time that everyone is talking about, but no clue :expressionless:

Banging my head on this too. Anyone got any pointers, or any tips on how to get the user creds via the high port number service?

So succeded in gettin login credentials to platform via highport service. Any pointers on to bypass filters :)?

So, I was able to root the box but I don’t think I did it the way that it was intended to get the root flag. I would be interested in talking to someone on two things:

  1. Those that used the SQLi approach, was it successful? I couldn’t ever get it to work.
  2. Those who got the root flag how did you do it?

@ChiefCoolArrow said:

@clacky said:
As some others have said, running into restrictions on filetypes here. I’ve looked around at using null chars, multiple file extensions, checked thru the code that’s doing the validating, but no luck.

Is there a technique that you’re using to upload a certain filetype? Or was it just allowed on the box when you tried it?

Same boat here. Ive tried all the usual file upload bypasses. I have underlying DB access and can see that the allowed file types differs from the default install of the web app. No other users have less restrictions or another upload avenue. I cant get anything successfully uploaded with an executable extension.

With the current config that I am seeing there is no way that unauthenticated fire and forget upload script works…

interesting, if you have DB access couldn’t you add some rows?

This box is easy, I struggled a bit at first but was able to root it. Looking at the source code helped so as to know how to use the exploit. I tried both unauthenticated and authenticated ways and there was really no difference on how the exploit worked. Best time to try the box is immediately after a reset.

Otherwise I’m happy to provide hints if you’re stuck.

@ikuamike, how did you get around file upload restrictions for unauth exploit? I’m assuming you need to get a certain filetype onto the server to then run with that exploit?

@clacky said:
@ikuamike, how did you get around file upload restrictions for unauth exploit? I’m assuming you need to get a certain filetype onto the server to then run with that exploit?

Spoiler Removed

removed

right there in front of me the whole time. thanks!

Hi folks, can actually someone confirm that the authenticated approach by using bl** s*** on the last parameter (still) works. I have quite some headaches to come forward though it works perfectly on my local test installation…I am not really keen to switch to unauthenticated up***d approach after spending so much time :wink: Thanks

@JonnyVTMRF said:
Hi folks, can actually someone confirm that the authenticated approach by using bl** s*** on the last parameter (still) works. I have quite some headaches to come forward though it works perfectly on my local test installation…I am not really keen to switch to unauthenticated up***d approach after spending so much time :wink: Thanks

To me it looks the same either way, you can elevate to admin using bl** s*** and change the config to allow that upload you want, but looking at the code it seems like the upload will be there in any case. The only real problem to solve is the clock skew.

@ashr said:
@JonnyVTMRF said:
Hi folks, can actually someone confirm that the authenticated approach by using bl** s*** on the last parameter (still) works. I have quite some headaches to come forward though it works perfectly on my local test installation…I am not really keen to switch to unauthenticated up***d approach after spending so much time :wink: Thanks

To me it looks the same either way, you can elevate to admin using bl** s*** and change the config to allow that upload you want, but looking at the code it seems like the upload will be there in any case. The only real problem to solve is the clock skew.

Thnaks…so bl*** s*** actually works to elevate to webapp admin, seems I need to further dig to get it working…

Anyone able to perhaps PM some pointers to get the exploit to work.

Hi,people! Is it possible to use msfconsole?

Rooted finally…

Tips for user

  • Read the code, it’ll help you fix the script/argument you pass.
  • Read the code, it’ll help you understand why the error message isn’t that honest.
  • The current Time may not be the same everywhere, how can you determine the time on the other side? Maybe you don’t need to change your system time but enter a time based on what’s seen?

For root

  • The basics of enumeration will help you, when I say basics, I mean basics.
  • dON’T STRESS IT! yOU’LL BE FINE.