Scavenger

Anyone here can drop some hints about user at least ? There are multiple places to dig not sure where to go :confused:

It looks like I can upload files…but I don’t know where they are going or how to get to them. I’d love a hint or a nudge in the right direction.

I’m trying to enumerate every possible port i get after initial nmap scan. Fixed the Virtual Host part as well. I’m stuck at this point and unable to move forward. Any nudge or hint would be highly appreciated :slight_smile:

I’m unable to get shell… I cannot make any tcp connection, but the commands work. Any tip appreciated :slight_smile:

I have the user, now I work for the root. :smiley:

can i access the whs over http? can see the vulnerability on the backend of the service, tried fuzzing it with a python script. wanting to throw sq*ap at it but only works for HTTP as far as i know

ive seen the vhost for the service but getting the error

Type your comment> @badman89 said:

can i access the whs over http? can see the vulnerability on the backend of the service, tried fuzzing it with a python script. wanting to throw sq*ap at it but only works for HTTP as far as i know

ive seen the vhost for the service but getting the error

You don’t really need any tool. That vuln is simple enough to do it on the command line.

Type your comment> @julianjm said:

Type your comment> @badman89 said:

can i access the whs over http? can see the vulnerability on the backend of the service, tried fuzzing it with a python script. wanting to throw sq*ap at it but only works for HTTP as far as i know

ive seen the vhost for the service but getting the error

You don’t really need any tool. That vuln is simple enough to do it on the command line.

Got it thanks ?

Is the insect M***s the right way here? I know I can upload but I don’t know if this is configured to disk or database. The xl method doesn’t appear to be valid on the version running.

So far a really engaging box!

so I exploited the vuln and dumped the data but info obtained is not useful and I also dont have any r/w perms. any small hint is highly appreciated. :slight_smile:

@mpzz said:
so I exploited the vuln and dumped the data but info obtained is not useful and I also dont have any r/w perms. any small hint is highly appreciated. :slight_smile:

Check the obtained data and redo a step you already did earlier, but with the new data…

I have an RCE but it’s very limited with limited R/W permissions. No reverse shell too, or anything remotely better.

Any tips would be appreciated.

ok got past the first vuln, so much to look at cant seem to find which avenue is the right way yo go

Finally rooted, a box that I did not particularly appreciate especially since she has a lot of rabbits.

Could I get a PM nudge in the right direction for syntax errors with a certain early step?
I can give my notes, just not sure what i’m missing since i’m not too familiar with the method. I keep getting syntax errors no matter what I try but i can manipulate the output of those errors.

Thanks @jorgemorgado for your nudge in the right direction. I appreciate your help!

Totally lost on this one…trying to S*L inject WH**s but lost there…Can someone PM me on initial foothold

Type your comment> @jayjay25 said:

Totally lost on this one…trying to S*L inject WH**s but lost there…Can someone PM me on initial foothold

You are on the right track, you must try a lot harder and counter the mistake.

I’m terrible with the S//i vuln, tried for ages without any success, so I’m instead trying to guess the information I’m looking for by bruteforcing the service in question with a large wordlist… Am I wasting my time? Should I just keep on with the S//i instead?

Type your comment> @mech said:

I’m terrible with the S//i vuln, tried for ages without any success, so I’m instead trying to guess the information I’m looking for by bruteforcing the service in question with a large wordlist… Am I wasting my time? Should I just keep on with the S//i instead?

You should continue with S ** I. Just try to analyze and counter the error. Imagine in your head how the query is created.

Type your comment> @Seepckoa said:

Type your comment> @mech said:

I’m terrible with the S//i vuln, tried for ages without any success, so I’m instead trying to guess the information I’m looking for by bruteforcing the service in question with a large wordlist… Am I wasting my time? Should I just keep on with the S//i instead?

You should continue with S ** I. Just try to analyze and counter the error. Imagine in your head how the query is created.

Managed to get it now thanks :slight_smile: Was missing something when I was trying to imagine how things looked on the other end.