kotarak

@MrWest3r said:
Hi people. I have been hitting this machine with everything i can think of. I have found which ports are opened and dirbusted them THOROUGHLY. I see that certain http-methods are allowed and i have tried to exploit them with no success. I have tried to bruteforce the to***t login as well with no success. I have also tried to exploit the “Private Browser”-form and have gotten access to /server-status, but nothing else.
Can anyone give me a nudge in the right direction? Any hint is appriciated.

If you’ve seen the status, you have the answer.

Del

Can anyone PM a hint on priv esc to root?

any help after getting user?

Help needed here, got three different .pXX files on port 6XXXXX, got several .xXX files on port 8XXX, found the tetris game… but still no clue on how to get the initial shell.

@txalin said:
Help needed here, got three different .pXX files on port 6XXXXX, got several .xXX files on port 8XXX, found the tetris game… but still no clue on how to get the initial shell.

if u got tetris there is something more …

@ronny said:

@txalin said:
Help needed here, got three different .pXX files on port 6XXXXX, got several .xXX files on port 8XXX, found the tetris game… but still no clue on how to get the initial shell.

if u got tetris there is something more …

Thx, i’m already inside and trying to esc to root, and as always… stuck again :cold_sweat:

@txalin said:

@ronny said:

@txalin said:
Help needed here, got three different .pXX files on port 6XXXXX, got several .xXX files on port 8XXX, found the tetris game… but still no clue on how to get the initial shell.

if u got tetris there is something more …

Thx, i’m already inside and trying to esc to root, and as always… stuck again :cold_sweat:

same here!

Is pass that you can extract after initial shell usable (and I am serching in wrong places?) or should it be modified in some way?

@y3zier said:
Is pass that you can extract after initial shell usable (and I am serching in wrong places?) or should it be modified in some way?

no need to modify

@blobbo said:
The priv esc side is doing my head in… It was all making sense till I hit a brick wall…

mine as well for root. I feel I am missing one piece of the puzzle…

hi everyone, I’m having a hard time trying to bypass the ‘try harder’ filter. Already read a lot about LFI/RFI but can’t find a way in. Someone can send a tip?

@zelsonm1 said:
hi everyone, I’m having a hard time trying to bypass the ‘try harder’ filter. Already read a lot about LFI/RFI but can’t find a way in. Someone can send a tip?

I found the way in, thanks for pointing the right direction guys :wink:

Likewise I’m quite stuck, same place with the “try harder” filter and enumerated everything I can think of (minus this mysterious ‘tetris’ game I’ve seen mentioned). But I can see the server-status however nothing stands out as important or useful. Any direction to head in?

I got an initial webshell but couldn’t escalate to an interactive shell. I suppose we need it to switch user by using the extracted password?

Rhadow - there are two passwords that can be extracted. Try again, try them both.

hey folks would love a nudge in the right direction here. found the 2 locations and was trying a few fuzzing fir dir trav and still running a discover scan on burp to see if i’m missing anything or if i can find more files… dirb didn’t help that much… and most of my attempts in path=xxx i get try harder… can i get a push please? thanks!

@zelsonm1 said:

@zelsonm1 said:
hi everyone, I’m having a hard time trying to bypass the ‘try harder’ filter. Already read a lot about LFI/RFI but can’t find a way in. Someone can send a tip?

I found the way in, thanks for pointing the right direction guys :wink:

I’ve trying bypass the ‘try harder’… i found others ways instead fXXX// like sxx// or fxx// but in all cases only read the files content, not execute them. Could you tell if you got webshell by this way (setting right xxx for path)?

Hi,
Enumerate well the application you see in the high port. Use the right requests. Think which pages you would check in an apache installation to get information. When you find the right page you will find something interesting that will guide you to the next enumeration step. This is a multi-step box in all phases.

@kubanu said:
Hi,
Enumerate well the application you see in the high port. Use the right requests. Think which pages you would check in an apache installation to get information. When you find the right page you will find something interesting that will guide you to the next enumeration step. This is a multi-step box in all phases.

thanks… I got the idea :slight_smile: