onetwoseven

my burp suit is not intercepting the localhost request please help me with that… as A***n panel is running on localhost:60080 port and burp is not intercepting that url request

@ecdo said:
Also stuck on root. Got shell as w**--**** and found the a-g thing. I am able to route the a-g thing through my machine. I have setup my own r***y, but how can I exploit without a good sign. There is a thing with a-g recently, but this one is updated already. Any hints? What are good docs to move forward?

come in pm brother… i am stuck at plugin upload part

I’m having trouble with the plugin upload step, could someone PM me with help?

Finally i got a user.txt without uploading addon. Hint: Default.
Any idea how to make uploader work. I’ve do many inspection without success. If you have time to help me - please PM :+1:

Edit: Already i know how to do that. But its too much work to root

TL;DR Edit: nvm got it!
So as many before in this thread I’m struggling with uploading my shell via the special manager. I’ve modified the action to go through m***.p** which includes the --add**.*** and makes the pr**_m**** work by adding a bogus parameter. I get the “File uploaded successfull.y” response but this is where I am utterly stuck. I’ve tried new filenames or overwriting ln.php with the recovered version and a bit extra in the first line. The uploaded file neither appears in root nor in the a*s folder. Playing with burp repeater doesn’t help there either… I still get the successfull.y[sic] message but no cigar. Any help where I am doing it wrong? Locally debugging the code in question I could confirm that the bypass of the wrongly implemented checks has to work and I wouldn’t get “successful” output if it didn’t.

/Edit: nvm got it!

any hint about spoofing alternative for the ap* g** ?


finally got root, i’ve learned so much in this box
Thanks to @dontknow

ugh… im exhausted by the upload part, have tried with browser and burp both by manipulating lots of fields but still getting 404, funny how ad***-do*****d works…

Type your comment> @0x4242 said:

Type your comment> @dapasslacho said:

got root, learned a ton about a-g

Can you recommend some links? Was searching for reference material but did not really find good stuff about the inner workings.

Did anyone ever answer this? There is a lot to be learned about the tool but it seems people will end up spending a lot of time hunting for the information rather than learning the information.

I have reverse shell access as www… am i supposed to elevate to user before root? I cant find a user flag as of now. Any nudge would be appreciated…

Type your comment> @windsurfer said:

I have reverse shell access as www… am i supposed to elevate to user before root? I cant find a user flag as of now. Any nudge would be appreciated…

The user flag is easier to get than a reverse shell - if nothing else the admin pages give you the details you need to log in and get the user flag.

finally got root, i’ve learn so much

If anyone has any clues on why I keep getting 403’s with loh tu**** at high port I’d appreciate a pm. Not sure if it’s on my end or something else.

Edit: Thanks to @Smoothz for the help. If you are running into a similar issue, check the syntax on your s** command. Should be 127 in there and ports should match.

Edit: User.txt got. But still don’t know the p****in type it wants.

Cannot upload. Help wanted.

BTW, I know how to enable a button in web.

Type your comment> @kmahyyg said:

Edit: User.txt got. But still don’t know the p****in type it wants.

Cannot upload. Help wanted.

BTW, I know how to enable a button in web.

Spend a bit of time downloading the other plugins and watch how that works, then read how the plugin you want to target works, with extra attention on what it is looking for.

The message about plugin type is a bit misleading. Focus on the headers first.

stuck at privilege esc part please help me for that

Type your comment> @Zer0Code said:

any hint about spoofing alternative for the ap* g** ?


finally got root, i’ve learned so much in this box
Thanks to @dontknow

check pm

Type your comment> @Rang3r said:

Hey all.

I finally got root. This is probably the hardest box I’ve done.

This is the first box that I’ve asked people for help and I just want to say that the community has been great. helpful and patient.

I want to thank @avetamine for help getting the upload and @AzAxIaL for help with getting root.

Thanks for a great forum.
come pm

Finally rooted, regarding privesc, dont overthink it, carefully pay attention as to how and where the manager look for the packages and do it.

@TazWake The question is: I don’t know how to download the plugins. Could you please give me some hints via PM?

Type your comment> @kmahyyg said:

@TazWake The question is: I don’t know how to download the plugins. Could you please give me some hints via PM?

I dont think this is a spoiler - the plugins have a little link next to them which says (dl) - if you click the link, you download the raw plugin for analysis.

I would also use burp a lot on this bit so you can see exactly what headers are sent and what, if any, redirection happens.