onetwoseven

No, you certainly need sftp. At least at the beginning.

Anyone can PM me with a nudge on how you found the plugin/addon/upload whatever part that you guys are talking about ? I run into WAF as soon as I do some enumerations, even nikto stops after a few seconds.

Type your comment> @PavelKCZ said:

No, you certainly need sftp. At least at the beginning.

i have access but the problem is when I upload php file just display source code any help for foothold ?

I have a shell as w**-a****-d***. Any nudge on priv-esc?

Can’t understand what I’m missing after getting access to sftp.
I’ve tried to look at the sftp commands but nothing caught my attention, can someone put me on the right path?

What an amazing box!!! Thank you @jkr for putting all the effort!!
I loved that box, especially the root part!! very original and very exciting!!

edit to provide some (as subtle as possible) hints for the box:

For User:
The box gives you creds and access, no need to overthink that. Once you’re in, help yourself and explore what you can do. Try everything. You might not be able to view certain file extensions, so try “re-branding” them. You’ll see the breadcrumbs popping out, so all you have to do is follow them.
If you try to get to some high port, remember there are ways to forward traffic around in your box…
Trying to upload stuff might be tricky there, so make sure you examine the necessary element.

For Root:
Go through the normal enumeration and it will stick out. It’s not that easy to root it with just a command from GTFOBins so think what you can do. If you find that relevant blog post, read it, make sure you understand what each step is doing and think what applies in this box and what doesn’t. Blindly following it will probably create more frustration… You’ll have to get your hands dirty to configure and serve what you carefully prepared, so this step involved (at least in my case) a lot of debugging, but it so rewarding at the end!

Hope I don’t confuse people with my hints, as english is not my first language.

Hmm, starting to feel stupid, because I am not able to figure out how the ■■■■ I can upload some .php from admin web part. :frowning:

Everything I tried simply does not work.

I got several hints, but what should work simply does not work in my lab :frowning:

Same boat as @PavelKCZ. I know how to upload and where to look at to find my uploaded file, but can’t get the reverse shell! Any nudges anyone?

To those stuck on the initial foothold with **TP.

[*] Stop. Examine your environment! Ask the machine for HELP.
[*] What commands can you execute? And what do they do?
[*] Do any of those commands allow you to do more than intended?

Stop thinking “how do I?” and start thinking “so what would happen if?”.

Back to the basics, guys. Stop and think.

Great box get reverse shell but now going to priv escal…

Hint for root?

Finally rooted. This box was a lot of fun :slight_smile:
The configuration flaw that I exploited for priv esc came up early in enum, but figuring out how to actually exploit it took some research and I learned something new about Debian.

are initial creds hidden somewhere?

Type your comment> @veepn said:

are initial creds hidden somewhere?

The box gives you some creds.

Nice user. I beginning to feel like Teacher machine were a simple reset would mess all my commands. Jump in the root drive now…

I seem to be stuck on the initial foothold. I’ve checked what commands are available to me but I’m at a loss as to how to use them to my advantage.

Would anyone be so kind as to send me a small nudge? Thanks.

Same as Vex20k! I get into SFTP and looked at the available commands but I don’t see how I can use them to my advantage. I tried using the c**** command on my reverse_shell but I still can’t run it. Definitely missing something here! Any hints?

I am getting sftp connections only allowed after trying to view the admin page

Regarding the uploads from admin, one of the listed plug-ins should look different. Look and the info in it and combine it with what you see on the page. Then try to exploit it. Only then will you be able to know about the upload function properly. You can’t just “undisable” the button and try to upload. It’s been disabled. But once you know the source code of the special plugin, you can create a nice workaround