Init HINT for dumb people like me who can’t find с*******:
First you need to find m*********
to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.
After that, pay all attention to the found m*********, but, as already said, you do not need brute force!
Then the question arises: what can be done other than brute-forcing?
Here you need a hint about the teacher and verbs.
however, this was not enough for me: note that sometimes a slash can be crucial
after that you should look at what the server told you.
I hope I haven’t suggested too much?
Can anyone who did not find the password by “guessing” but by brute forcing- contact me and tell me his/her way to approach ? I build a small script using curl to read cookies+token and use them for request but it fails all the time.
If you know the exploit you need to use, you can easily convert that into a brute force script, that’s how I did it (even after guessing it, I made the script anyway)
I have problems to make the payload work fine. It looks that everything is correct but I can’t get the reverse shell working… any hint for this? please PM and thanks in advance.