Haystack

I found the p…: s******.i*.k** but it doesn’t seem to work anywhere, I ve tried some default users front door, didn’t seem to work, is it a rabbit hole or am I overthinking it? Hint pls x)
EDIT: Okey that was stupid from me, when you find the p… don’t be excited and forget to see what else is there
thanks @penturmeade for the Hint: “if you found the password, the user is very close by”

Eventually got the machine’s root. It was a headache but very interesting. Learnt quite a few things along the way. :slight_smile:

I’m having trouble performing privesc from the user account. I’m trying to run a js file uploaded to the machine using the LFI vuln. The response i get back from sending the GET request with CURL is a 400 Bad request. apis paramerer is required. My query however does include a apis value. Did anyone else experience this?

@Xtrato Use quotes. curl 'url-here'

@fasetto said:
@Xtrato Use quotes. curl 'url-here'

I managed to get a shell once but right now the same command is doing nothing.

Can anyone give me a tip please?

Trying to get root and I get 404 when trying to curl my exploit… does it have to be in a certain path?

@vGsec; You are missing something probably. DM if you want me to check your payload.

Type your comment> @vGsec said:

@fasetto said:
@Xtrato Use quotes. curl ‘url-here’

I managed to get a shell once but right now the same command is doing nothing.

Try renaming it. Things only seem work one time

@KeyboardCaper said:

I managed to get a shell once but right now the same command is doing nothing.

Try renaming it. Things only seem work one time

Hey would you mind DMing me, I’m super stuck trying to get the LFI to execute… just getting 404 or some error about a parameter…

Type your comment> @mofa28 said:

User is awful. Root is nice

I’m finding the exact opposite.

Type your comment> @aj8417 said:

Type your comment> @mofa28 said:

User is awful. Root is nice

I’m finding the exact opposite.

Same, user was pretty easy. Root. Spent 2 days banging head against wall trying to get LFI to work…

stuck on the ka user. I know I am supposed to do something with l**h, just not sure how or what to do. Any nudge would be awesome

Is there any exploit to become k****a user…i found one exploit which is RCE which is not working…

Those who are stuck at going banana, you need to look at a certain config file and see why the *F* exploit you are using is not working (it can only be ran from a certain place, you already have the tool on the machine to do it) :wink:

i have k***a. but i have problem to edit/make .c
any hint???

curl: (52) Empty reply from server

why??? does not work and others do not. for LFI

If anyone needs a nudge with user feel free to send a pm :smile:

Can some kind soul nudge me in the right direction on root? I can see the ki***a but cant figure out how to pivot to that user. Dunno could be blind. Anyway any hints would be greatly appreciated.

I think I’m really close to root… Can someone PM me to discuss?
Edit: Nevermind, I got it! Feel free to PM me for help!

Hi, think found what need for root. Found soemthing that looks like it link were i can write now, Can someone OM me to discuss

Someone up for discussing the final part to root? I’ve tried so many things, it got triggered, but even simple tests aren’t executed.