FluxCapacitor :@

I need a little nudge of what im looking at here. When you guys say fuzzing about parameters are you on about HTTP verbs(get etc?)

sorry i am quite new to fuzzing etc so am looking for some direction to learn towards

Hi, can anyone please PM me to clarify things? I found what i reckon is the right parameter and found some interesting stuff with wfuzz. However, I am still not quite done yet. Thx very much!

Will fuzzing work with the default wordlists in wfuzz? I’m trying to narrow down the parameter but I don’t really know what I’m looking for. All i get is 403 forbidden pages.

I have the parameter, can inject, and can upload a payload, but cannot execute. Anyone want to send me a pm to discuss this portion? Don’t need a straight answer but I need to discuss different techniques.

So I have the user.txt. Now for priv esc, any body succeeded? I have some enum details but not able to upload any shell

@FloptimusCrime said:
So I have the user.txt. Now for priv esc, any body succeeded? I have some enum details but not able to upload any shell

basic enumeration will get you on the right path

Also struggling with this one - I have the arg and am aware of how to get the command through but haven’t been able to prove any kind execution yet. I feel as though I do not understand what context the command is running in - do I need to escape from another command first? Trying to figure out how this arg is related to the page…

If someone could PM with a nudge on how to utilize the found parameter? There is no apparent change in the output with the input I give except for those that are rejected by the WAF. Any help would be appreciated.

Got it. For reference in case anyone else runs into this, my error was syntax based. Don’t assume your command is being sent in the way you type it, use a proxy and examine what exactly is sent to the target.

As for finding the parameter, I formulated a command that I thought should do something (did not result in an error) and did as others suggested (fuzz). Good luck

@Omnisec said:
If someone could PM with a nudge on how to utilize the found parameter? There is no apparent change in the output with the input I give except for those that are rejected by the WAF. Any help would be appreciated.

You should check out these blog posts

  1. Web Application Firewall (WAF) Evasion Techniques | by theMiddle | secjuice™ | Medium
  2. Web Application Firewall (WAF) Evasion Techniques #2 | by theMiddle | secjuice™ | Medium

The initial stage is all about getting the right method and combination. Try it out and then PM me if you are still stuck

@0PT1MUS said:

@FloptimusCrime said:
So I have the user.txt. Now for priv esc, any body succeeded? I have some enum details but not able to upload any shell

basic enumeration will get you on the right path

Hey so i figured something out. Can i PM u so that i dont spoil it for others

got root without shell upload. But if someone succeeded to upload shell please PM me to exchange the methods.

I think I have basic RCE (with only a very limited subset of commands and no parameters; WAF is working very well). Now I am trying to obtain full RCE. Is this at all possible? I tried any possible globbing, to no avail. Any help? PM?

@davidlightman Even basic RCE is enough to complete this. However, it is also possible to do what you are trying to do. Feel free to PM. However, I think there is enough information here to solve.

P.S. Works without globbing as well.

@Omnisec said:
@davidlightman Even basic RCE is enough to complete this. However, it is also possible to do what you are trying to do. Feel free to PM. However, I think there is enough information here to solve.

P.S. Works without globbing as well.
Thanks. I got the user flag. Working on the root flag right now.

Can someone help me out, I am not sure how to properly fuzz /s??? send me a pm please

Beware of certain HTTP clients in your attempts!

Some HTTP clients do not respect your wishes! :stuck_out_tongue_winking_eye:

As already said, check with Burp if the parameter is being sent exactly as intended!

I spent several days to find out this issue!

Thanks so much FloptimusCrime for the tips!

Can someone tell me if I’m in the road? I have trying to insert a t?m??t??p in my requests to /s??? in burp suite… I’m getting a t?m??t??p response. that’s it?

Anyone able to confirm if I am heading in the right direction? I believe I’ve found the param though having trouble getting a direct or indirect response. I’ve read the guides provided on this thread.

I’m stumped with this one. I understand how WAF bypasses work, but I am failing to find a param to fuzz. I’ve thrown some random post params based on certain comments and successfully use a GET to see a timestamp. I am missing something obvious and it’s killing me.