Hint for HELP

So, I was able to root the box but I don’t think I did it the way that it was intended to get the root flag. I would be interested in talking to someone on two things:

  1. Those that used the SQLi approach, was it successful? I couldn’t ever get it to work.
  2. Those who got the root flag how did you do it?

@ChiefCoolArrow said:

@clacky said:
As some others have said, running into restrictions on filetypes here. I’ve looked around at using null chars, multiple file extensions, checked thru the code that’s doing the validating, but no luck.

Is there a technique that you’re using to upload a certain filetype? Or was it just allowed on the box when you tried it?

Same boat here. Ive tried all the usual file upload bypasses. I have underlying DB access and can see that the allowed file types differs from the default install of the web app. No other users have less restrictions or another upload avenue. I cant get anything successfully uploaded with an executable extension.

With the current config that I am seeing there is no way that unauthenticated fire and forget upload script works…

interesting, if you have DB access couldn’t you add some rows?

This box is easy, I struggled a bit at first but was able to root it. Looking at the source code helped so as to know how to use the exploit. I tried both unauthenticated and authenticated ways and there was really no difference on how the exploit worked. Best time to try the box is immediately after a reset.

Otherwise I’m happy to provide hints if you’re stuck.

@ikuamike, how did you get around file upload restrictions for unauth exploit? I’m assuming you need to get a certain filetype onto the server to then run with that exploit?

@clacky said:
@ikuamike, how did you get around file upload restrictions for unauth exploit? I’m assuming you need to get a certain filetype onto the server to then run with that exploit?

Spoiler Removed

removed

right there in front of me the whole time. thanks!

Hi folks, can actually someone confirm that the authenticated approach by using bl** s*** on the last parameter (still) works. I have quite some headaches to come forward though it works perfectly on my local test installation…I am not really keen to switch to unauthenticated up***d approach after spending so much time :wink: Thanks

@JonnyVTMRF said:
Hi folks, can actually someone confirm that the authenticated approach by using bl** s*** on the last parameter (still) works. I have quite some headaches to come forward though it works perfectly on my local test installation…I am not really keen to switch to unauthenticated up***d approach after spending so much time :wink: Thanks

To me it looks the same either way, you can elevate to admin using bl** s*** and change the config to allow that upload you want, but looking at the code it seems like the upload will be there in any case. The only real problem to solve is the clock skew.

@ashr said:
@JonnyVTMRF said:
Hi folks, can actually someone confirm that the authenticated approach by using bl** s*** on the last parameter (still) works. I have quite some headaches to come forward though it works perfectly on my local test installation…I am not really keen to switch to unauthenticated up***d approach after spending so much time :wink: Thanks

To me it looks the same either way, you can elevate to admin using bl** s*** and change the config to allow that upload you want, but looking at the code it seems like the upload will be there in any case. The only real problem to solve is the clock skew.

Thnaks…so bl*** s*** actually works to elevate to webapp admin, seems I need to further dig to get it working…

Anyone able to perhaps PM some pointers to get the exploit to work.

Hi,people! Is it possible to use msfconsole?

Rooted finally…

Tips for user

  • Read the code, it’ll help you fix the script/argument you pass.
  • Read the code, it’ll help you understand why the error message isn’t that honest.
  • The current Time may not be the same everywhere, how can you determine the time on the other side? Maybe you don’t need to change your system time but enter a time based on what’s seen?

For root

  • The basics of enumeration will help you, when I say basics, I mean basics.
  • dON’T STRESS IT! yOU’LL BE FINE.

i dont know why this machine took me so long, it was easy and right in front of me.
If anyone is stuck feel free to pm me

I totally agree with @Bear. I wish I knew that before overthinking on getting user.
Root is straight forward.

Rooted

Hints:
User: Read the exploit, web app source and travel to London
Root: So simple, basic exploit. If you spend more than 10mins on this you aren’t looking in the right place

Fun box!

Hi Guys,

could someone PM a direction how to get through xxxx port. I’m curious to learn more about how to test this technology.

I traveled to Liverpool instead. So crouded there!
May be that is why my exploit did not work from the first time.
I upset and started investigations but the right way was just run the same exploit actions again and again.

But on the other hand that is good: it encouraged to deep into exploit code and study hard with a little help from my friends.

@Bear said:
Rooted finally…

Tips for user

  • Read the code, it’ll help you fix the script/argument you pass.
  • Read the code, it’ll help you understand why the error message isn’t that honest.
  • The current Time may not be the same everywhere, how can you determine the time on the other side? Maybe you don’t need to change your system time but enter a time based on what’s seen?

For root

  • The basics of enumeration will help you, when I say basics, I mean basics.
  • dON’T STRESS IT! yOU’LL BE FINE.

Great hints! I figured out how to use the enumeration results with the last hint. Turns out copy-paste does not always help you :smiley:

@Anthirian said:

@Bear said:
Rooted finally…

Tips for user

  • Read the code, it’ll help you fix the script/argument you pass.
  • Read the code, it’ll help you understand why the error message isn’t that honest.
  • The current Time may not be the same everywhere, how can you determine the time on the other side? Maybe you don’t need to change your system time but enter a time based on what’s seen?

For root

  • The basics of enumeration will help you, when I say basics, I mean basics.
  • dON’T STRESS IT! yOU’LL BE FINE.

Great hints! I figured out how to use the enumeration results with the last hint. Turns out copy-paste does not always help you :smiley:

Glad it helped :slight_smile: