FootHold : Pretty easy, Find the “Data Container” sub-directory in the website then think of the tools a script kiddie would use to exploit it to get the data. After that think of the ways you could get yourself a ‘black window’
User : Find the script and think of what would happen if “the user input function returned different data”? Google will help you with this quotation!
Root : Simple Enumerating, Focus in the “interesting” file/configuration and then create a new job for it … simply gtfo
After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…
@Keroseno said:
After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…
Some ppl have already linked to a page which includes a way around it
@Keroseno said:
After read the code of the file (you know what file I mean), I found the “forbidden characters”… now the question is, how the ■■■■ I find the way to use a script without this characters and get the user prompt so many days in this point…
Some ppl have already linked to a page which includes a way around it
Well, thank you very much, I was checking that before, but really, no idea… so I found other way much easier.
User: Got it, as someone already say… the power of dolar…
Root: I am CRAZY!!! I am doing all what I can with the s*******l but all what I get is a file with the information inside, also I saw that h*****.s***** is running but not loaded, and that is really strange, but is ridiculous how close I am and I can not get it… is incredible… Any hint or a gut to shot myself would be welcome.
Rooted. hint for the root: If the power of gtof is not working, you need to change the command, change permisions on /root/ should be ok, I was trying “cat” all the time and so many hours to the bin… thanks to @rbt for the help with the user.
Rooted. Thanks to all, who posted on this forum. I has read this thread at each time, when have stuck, and each time find the answer.
Seems, like this box have several solutions. My was a bit dirty, because i noob, but it’s work.
Root reverse shell, made by user reverse shell, made by stable another user reverse shell, made by unstable another user reverse shell.
###HInts:
Foothold: OWASP 10. I was surprised, when i see power of tool for exploitation this vulun. os-shell for example.
User: dolar, if not worked, look closer what rights you gives and who.
Root: Someone on this machine at your service.
Enumerate as much as u can. You’ll find a door in front of a data container and a foothole from the front page which you’ll get some keys to open the door.
Observe the version of the container. Google it and you’ll get a reverse shell.
User:
Honestly, this made me brain-f*cked?♂️. However, when you enumerate enough, you’ll find a neighborhood. Read it carefully and you’ll know how to get the user.
Root:
It’s a little bit tricky. Basic enumeration will help you find out a core-level application that you can run it directly. GTFO will help you.
Conclusion: I learned a lot from this box. Nice box!
Need some hints for this, I’m using sqlmap on the r****s.php?cod=1, trying to use this to dump the tables or get a shell. Yet everytime I run the tool I get banned for 90 seconds and the scan won’t complete, any way around this? Or do I have to do it manually?
I am having extreme difficulty with this box and the shell I spawn not properly issuing commands. I have done the whole python and ctrl+z magic to elevate to fully functional shell then I move onto the next step for p***r and now when I issue a simple command such as ‘ls’ it doesn’t do anything. I have been stuck on this ■■■■ issue for a week now and cant seem to get anywhere. I have tried numerous methods including socat and retrying various shell methods and still run into the same issue.
@SpicyWeasle said:
I am having extreme difficulty with this box and the shell I spawn not properly issuing commands. I have done the whole python and ctrl+z magic to elevate to fully functional shell then I move onto the next step for p***r and now when I issue a simple command such as ‘ls’ it doesn’t do anything. I have been stuck on this ■■■■ issue for a week now and cant seem to get anywhere. I have tried numerous methods including socat and retrying various shell methods and still run into the same issue.
Try sending your -da shell to another listener on your attacker machine as p**r
Hi, I am a little stuck. I found some creds and they work.
in the webapp is where i am stuck trying to figger uot how to spawn a shell.
pls advice. may a ippsec vid i can look at?