Jarvis

nice one

is that sis thing rabbit hole for privesc? :confused:

Type your comment> @mpzz said:

is that sis thing rabbit hole for privesc? :confused:

My bad. That was not a rabbit hole. Got root :slight_smile:

So is there really an lfi here?Because I was suspecting the same thing

Type your comment> @m00nr4c00n said:

Im so bad at privesc… got LFI working, got RCE working… but fk me! im just www-data.

How did you got LFI working.? I tried. I got request canceled.

.

Spoiler Removed

Hint for user: a fortune character might help.

Hi, I can get connection from server and I can run commands via specific scripting tool but the user is not correct user for me. How can i escape from www-****?

This box is just straightforward and awesome…Don’t over complicate anything…
Those who are not getting the user shell from www-data , check which shell you’re using to execute commands…

Rooted! I really enjoyed this box! Every step is pretty straightforward once a proper enumeration has been done, so that no guesswork is needed. Thanks to the authors!

Could anyone provide me some insights (looking on what to research) on subverting the (you know what) file to get user.txt?
The obvious chars that would allow that are being “filtered”.
Thanks!

Got it :slight_smile: A bit of manual brute force and logical thinking did it :stuck_out_tongue:

If you’re getting banned, why don’t you switch to something more reliable…? :slight_smile:

Type your comment> @anthonws said:

Could anyone provide me some insights (looking on what to research) on subverting the (you know what) file to get user.txt?
The obvious chars that would allow that are being “filtered”.

I am not able to bypass the filter, and it doesn’t run on the other shell. :anguished:

Is it possible that the exploit is related to the php version?

So does the high port start banned?

Type your comment> @sherad said:

So does the high port start banned?

Yes…

The high port, its a rabbit hole??

Type your comment> @gonzahack said:

Is it possible that the exploit is related to the php version?

there’s an easier way

I have found two areas of interest on the lower web port but neither seem to be working:

  1. *.php?= URL that may lead to an LFI: I can not provoke this URL to give me anything of use by the way of either a file or a useful error message.

  2. .js file that references a .php file that may be able to LFI: I have sent a few POST requests to this php file with the information from the .js file but don’t get any result back, just a 302 that sends me back to the index.php.

Are either of these worth delving further into? Am I missing something else obvious here? Any nudge would be appreciated. Thanks.