Hint for HELP

if someone could PM me how they got the unauthenticated exploit to work i would appreciate it! i was able to gain access to app from what i found on N*** and got s***, but still am no where closer to user yet. bashing face on keyboard for 2 days now

-rooted, fun box! ping me if you have issues.

Spoiler Removed

It’s much easier than it seems. Pay attention to the basic enum.

I even tried two cows :wink:
Any script you suggest that could ease the process ?

completely lost on how to do the proper given query
have read through the forum but nothing helping me get it.
Anyone able to give me a push on what/where to learn this query please?

I’ve done the machine (user+root) (via the upload), but would definitely like to revisit the machine with the alternative credential method. If anyone can PM me some resources to help me understand better what’s going on there, that’d be great.

@lackofgravitas said:
Very close to RCE but need a hint with methodology. I can locate uploaded files about 50% of the time, but if they’re sent as .j** when I open them browser complains about the type. If I upload .p** it springs an error message. If I ignore the error it can’t find it. Do I need to get the browser to change MIME type, or just persist with uploading as .p**?

I tried using bs* to modify the upload MIME type on upload but that didn’t help. Can someone give me a nudge in the right direction

@m4rc1n said:
Now Im really confused. I used the REST alternative to get user and its hash (with one of the previous posts its easy). I cracked the hash and have also password. tried to log in via the lowest port and cannot. What am I missing?

Im a n00b, please dont laugh, but what is REST alternative?

@JAR8 said:
@m4rc1n said:
Now Im really confused. I used the REST alternative to get user and its hash (with one of the previous posts its easy). I cracked the hash and have also password. tried to log in via the lowest port and cannot. What am I missing?

Im a n00b, please dont laugh, but what is REST alternative?

Restful API on port 3000

Restful API on port 3000

I have no clue how to do this! Would appreciate any notes on this!

@lackofgravitas said:

Restful API on port 3000

I have no clue how to do this! Would appreciate any notes on this!

I used the port 80 route.

Hey, I’m trying to find the uploaded files, knowing that they possibly are on /st/us/t*****s/something.

However, I have no clue how to get to that something. Could anyone please help? PMs appreciated

EDIT: Got it. For those that are wandering, consider running DirBuster and checking the source code on GitHub. Also, there is a helpful script if you google for a bit :stuck_out_tongue:

This box isn’t too bad, here are my hints:
User -
I got access from port 80, my tip is to go over the source code and look specifically for how it treats files that are uploaded. You will notice a few interesting things about how it deals with the blocked files you upload.

rOOT -
Start from square one and find what’s been done.

Overall fun box :slight_smile:

I guess there is no delete option for comments

Can someone PM me directly pls? I’m struggling with the upload file, already changed the exploit and followed the hints here to execute the exploit at the same time when sending the file over, but no luck yet. Nothing seems to be found at URL/s****/u*****/t******/

I do believe this is somehow related to the timestamp, but can’t figure out what is

EDIT: Finally, I was able to find the image of my upload… for those who are struggling with this, my recommendation is to edit the exploit, and increase the range. I’ll try to see what happens with the php file now

I have been stuck on User for days. I have the username and password but cant find where to use them.

Hi there! Can someone please PM me about the root? I got it, but i really hate the way i did it and pretty sure it was not the intended way. Spent hours trying to find some basic stuff everyone is talking about. So i just want to understand what did i miss during enumeration process. Thnx.

Could anyone message me with a hint for root? I found what looks like a password in a log file, local password for he***e account, root password for mysql, admin password for web staff login, but none seem to give me root access. Not finding any local privesc exploits out there so i’m not sure what im missing.

Could someone PM me about popping the initial shell on this box? I’m attempting the port 80 way, and have a pretty good idea of what I need to do and how to go about doing it, and I’m sure the rev-shell I’m using is solid, but I never get a call back to my box. If someone could message me and maybe point out a flaw that I’m overlooking, that would be appreciated!

EDIT: Nevermind I’m a moron, figured out where I was going wrong.

I can’t get my reverse shell to trigger?? This is annoying.

Nevermind!!! I am on