Json

Type your comment> @dlh61 said:

Check the format the message you’re using and you will reduce a lot the possibilities.
Check the version of asp.net running and you’ll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
I’d never before use it but its amazing to see it works (and how).

There are good readings following the tool repo.
Very nice step in.
:slight_smile:

Thank you.
I’m having issues using powershell: I cannot connect back to my machine, not sure why.
I can download from my machine in a different way but I haven’t tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

Type your comment> @halfluke said:

Type your comment> @dlh61 said:

Check the format the message you’re using and you will reduce a lot the possibilities.
Check the version of asp.net running and you’ll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
I’d never before use it but its amazing to see it works (and how).

There are good readings following the tool repo.
Very nice step in.
:slight_smile:

Thank you.
I’m having issues using powershell: I cannot connect back to my machine, not sure why.
I can download from my machine in a different way but I haven’t tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

location, location, location…

Type your comment> @j4v40n654n said:

Type your comment> @halfluke said:

Type your comment> @dlh61 said:

Check the format the message you’re using and you will reduce a lot the possibilities.
Check the version of asp.net running and you’ll find that for that moment of that version there were not to many available common (more used, popular) providers for that format.
I’d never before use it but its amazing to see it works (and how).

There are good readings following the tool repo.
Very nice step in.
:slight_smile:

Thank you.
I’m having issues using powershell: I cannot connect back to my machine, not sure why.
I can download from my machine in a different way but I haven’t tried yet to execute: not sure if I can touch the disk or everything should be downloaded and executed directly in memory.

location, location

got it directly in memory. Decently painful, lol

Great!
You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available.

Type your comment> @dlh61 said:

Great!
You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available.

I started with a ping but from a ping to a shell there is a long way.
It also all depends on what protection is activated on the target and how you can bypass it, if an AV prevents you from writing to disk and execute, etc. Not sure in this case as I do not have full access to the machine yet. Overall every box here is a great learning experience. D**********n is a tough topic for me as I don’t know/like java or .net

Nice box, I wasn’t familiar with the involved technologies and took me more than I expected, and that’s the way to learn.

Great!
You could first try simple movements such as trying to get a signal back, download to common folders or so and then go to more sophisticated commands knowing a bit more such as writable and callable functions available. > @halfluke said:

Type your comment> @dlh61 said:

(Quote)
I started with a ping but from a ping to a shell there is a long way.
It also all depends on what protection is activated on the target and how you can bypass it, if an AV prevents you from writing to disk and execute, etc. Not sure in this case as I do not have full access to the machine yet. Overall every box here is a great learning experience. D**********n is a tough topic for me as I don’t know/like java or .net

You can try a 2 step movement such as putting in some common writable place a common tool for next getting a rev shell back to you! :wink:
Great work BTW.

This server is horrible slow

And finally I get a super fast, and all worked like a charm

rooted.

PM for nugets

Almost there i think but struggling with the final step with the vegetable, any one else get “Failed to start HTTP server” errors with this and have any pointers ?
Believe I know the reason why (port is in use) but not how to get around it… PS version looks to have a work around but can’t get the PS module to run … :frowning:

edit: got there, over thinking it as ever

I don’t understand: I get in the website using the “maybetoomuchsimple” credentials… Is that a honeypot? Because those creds are apparently unuseful…

Type your comment> @BadRain said:

I don’t understand: I get in the website using the “maybetoomuchsimple” credentials… Is that a honeypot? Because those creds are apparently unuseful…

In the right place, keep looking at the requests and responses as you browse the site… remember the name of the box also…

Ok, I give … I am able to log in and I know where I need to aim my attack, but I am not having much luck with the POC tool. One of the payloads keeps giving me an error, and I could really use some help getting it to run through cleanly and verifying where I am aiming, etc. If anyone can give me some guidance, I would really appreciate it. Please DM me and I can show what I have and what errors I am getting.

**Edit: thought I had it, but I guess I don’t … any help would still be appreciated!

And that’s ok. it’d be nice to discover a way to exploit those infirmations :stuck_out_tongue:

Edit: got user , going for root…

Cool little box, well done. Low-priv foothold taught me a fair bit, and found 3 different privesc vectors once I was in. 5 stars!

Got root, pretty nice box. Thanks @amra13579
I still don’t know what to do with F___Z___a, so if someone got root with that, please PM

Can I get a quick PM about initial foothold? Keep getting subsequent errors with POCs.

aehm… ys******l and the bunch of parameter… too many quotes for the upload of a payload (trying to get root). Any suggestion?

fun ride after forest, straight forward box, no windows vm needed for ys******.
thx to @amra13579

Type your comment> @BadRain said:

aehm… ys******l and the bunch of parameter… too many quotes for the upload of a payload (trying to get root). Any suggestion?

update:
payload uploaded… but can’t run it! :frowning: