Missing something here…
I found some interesting things early on with burpsuite. I then enumerated a user and 2 text files with wfuzz but can’t find the .py file.
A SMALL nudge would be appreciated.
It’s a secret directory, and under it you should find the py file you are looking for.
Use a common wordlist, no need to go with big ones.
Just in case, check you are using port 8080 and not 80.
I thought I’d done that but your comment made me realize I didn’t quite do it the right way. Focused too much on an interesting vulnerability I found early on
Rooted. Nice one @clubby789, although I believe there is an “easy” (and potentially unintended) method for root that should be patched if possible as it sorta ruined that bit for me. I’m going to go back and do it the (what I believe to be) intended way now though
Thanks for the machine!
Hints:
Foothold: Fuzzing & then Source Code analysis. Look at what you can do to get RCE.
User: There are a few different ways of doing this. You have an input and an output – these two things should be enough to work backwards.
Root (Intended Method Only): Analyze the code, and check what is outputted. Keep checking… and checking… Once you do that, you’ll have everything you need.
Rooted. Nice one @clubby789, although I believe there is an “easy” (and potentially unintended) method for root that should be patched if possible as it sorta ruined that bit for me.
Yeah, that’s unintended, and I’ve been told a fix is being pushed. To anyone else who used a that method to get root, I suggest you go back and try it the intended way
Yeah, that’s unintended, and I’ve been told a fix is being pushed. To anyone else who used a that method to get root, I suggest you go back and try it the intended way
Having just solved it as my first machine, i honestly have no clue if i did it the right or wrong way
It was probably the easy way, as the root password was a lot easier to obtain than the rest of the machine. Or i did it the right way and completely missed out on the easier way
Anyway, thanks for creating it. While some comments mention it’s useless i learned something from it, so it’s certainly not useless.
I can’t wait to see a writeup of it to see if i did it the right or wrong way.
The source code is really simple to read. I know exactly which part I should exploit. I tried several times, but it did not work. Then I ran the source on my own computer. And it works. … … Still missing something here.
The source code is really simple to read. I know exactly which part I should exploit. I tried several times, but it did not work. Then I ran the source on my own computer. And it works. … … Still missing something here.
The source code is really simple to read. I know exactly which part I should exploit. I tried several times, but it did not work. Then I ran the source on my own computer. And it works. … … Still missing something here.
I know about url-encoding. And as I said, I am hosting the same server myself. I am Connecting to it the same way I connect to the box. Thats why I find a bit weird.
The source code is really simple to read. I know exactly which part I should exploit. I tried several times, but it did not work. Then I ran the source on my own computer. And it works. … … Still missing something here.
HTML URL Encoding Reference
This one really helped
i got a shell as w**-d*** now i think i’m a little bit stuck there
could anyone help?
I’m still stuck on enumeration… I tried dirb, dirbuster, fuzzing with zap and burp, wit different dictionary… what’s wrong? Can anybody put me on the right path? thank you
Initial foothold is more ctf-like,that’s why i was stuck, but other parts were very good.
Hints:
Initial foothold: After checking front page, you will know one thing, and need to know another thing. fuzz these things together. Then you will find a hole which you can inject your weapon
User: Use your algorithm skills and get X from y^x=z
Root: Much more simple than user. just add the specified option one more time.
Yeah, that’s unintended, and I’ve been told a fix is being pushed. To anyone else who used a that method to get root, I suggest you go back and try it the intended way
Having just solved it as my first machine, i honestly have no clue if i did it the right or wrong way
It was probably the easy way, as the root password was a lot easier to obtain than the rest of the machine. Or i did it the right way and completely missed out on the easier way
Anyway, thanks for creating it. While some comments mention it’s useless i learned something from it, so it’s certainly not useless.
I can’t wait to see a writeup of it to see if i did it the right or wrong way.
You did it the right way definitely.
The other path required taking the box out of the obscurity.
Found what I needed with wfuzz. Downloaded a copy and found the exploitable piece of code. I ran the code locally and experimented until i got the syntax right. I have 2 versions which both work locally. When I target obscurity however I get a 404 and my listener doesn’t trigger Intended?
Found what I needed with wfuzz. Downloaded a copy and found the exploitable piece of code. I ran the code locally and experimented until i got the syntax right. I have 2 versions which both work locally. When I target obscurity however I get a 404 and my listener doesn’t trigger Intended?
nvm, found my problem. Don’t assume when you can check!