Sniper

Spoiler Removed

Type your comment> @ShadowSuave said:

Just started this machine and I’m lost lol I’m currently trying to host a php from sa server, and access/execute from the ?lang= am I completely off base here? I can access the share from s****t but getting the page not found page from the webpage

nope you’re not off base, you’re exactly where you need to be. I wouldn’t worry about what the web page shows - just see if your payload got accessed/triggered.

Can someone assist me with the lfi? Or DM me and I can explain how i’m attempting the initial foothold. kinda new to this attack method.

Type your comment> @VbScrub said:

Type your comment> @ShadowSuave said:

(Quote)
nope you’re not off base, you’re exactly where you need to be. I wouldn’t worry about what the web page shows - just see if your payload got accessed/triggered.

I feel like i’ve tried every type of encoding, wrapping, etc. at this point I’m wondering if it’s a problem with my share. is there a way to test that? (I’ve tested in smbclient and seems working) I’ve tried every technique I can find for this RFI and still nothing :confused: I know i’m definitely missing something here lol

Type your comment> @ShadowSuave said:

I feel like i’ve tried every type of encoding, wrapping, etc. at this point I’m wondering if it’s a problem with my share. is there a way to test that? (I’ve tested in smbclient and seems working) I’ve tried every technique I can find for this RFI and still nothing :confused: I know i’m definitely missing something here lol

Sounds like I had the exact same problem. Do you see errors in the log of your share?
for me the script for getting a server, was the problem. the box was trying to fetch the script, but the connection got always closed.
I had to actually fireup/configure a server, and NOT use the usual script, to make it work

it seems that the rfi is not the intended way, found stuffs for another exploit, didnt root yet.

Hey Boss,
I’ve done with my tasks and I’m awaiting new challenges.
KR C****

I think the hints are already really comprehensive and I can only add, where I was stucking:
Foothold: RFI is not limited to HTTP.
User: if you have creds, use them.
Root: Don’t stop enumerating if you think you have what everybody in the forum is speaking about. Think about places which were not accessible in earlier stages.

Type your comment> @theonemcp said:

Type your comment> @ShadowSuave said:

I feel like i’ve tried every type of encoding, wrapping, etc. at this point I’m wondering if it’s a problem with my share. is there a way to test that? (I’ve tested in smbclient and seems working) I’ve tried every technique I can find for this RFI and still nothing :confused: I know i’m definitely missing something here lol

Sounds like I had the exact same problem. Do you see errors in the log of your share?
for me the script for getting a server, was the problem. the box was trying to fetch the script, but the connection got always closed.
I had to actually fireup/configure a server, and NOT use the usual script, to make it work

Yeah, I realized it was my payload that was the issue lol I eventually managed to get a meterpreter shell with a different pl but the session dies within 30 seconds. Gonna see if I can get something else working

Finally got user yesterday. Big thank you to @peek for beeing so patient with me.
Still don’t know why I had to do it a little bit different to make it work ?
Now on to root, I’m currently looking for that file everyone is talkinh about…

i got user but i need hint for root :neutral: pls help mee

Rooted this box. I agree with guys who said that the root is a bit weird. Exploit is unstable.

this box is kicking my a**, I have creds and have an idea of how im supposed to use them, but I’m stuck in this webshell and can’t seem to get an actual shell… I’ve tried uploading payloads via the webshell, i’ve tried executing a payload straight from my share… used exe, pdf… nothing seems to be working, where am i going wrong here?

Edit: got a shell ? creds are incorrect?(guess I’m using them wrong) ? this box is beating me up lol

What a ride I learned a ton with this one!

PS C:\users\administrator\Desktop> whoami
whoami
sniper\administrator
PS C:\users\administrator\Desktop> 

Type your comment> @theonemcp said:

Type your comment> @ShadowSuave said:

I feel like i’ve tried every type of encoding, wrapping, etc. at this point I’m wondering if it’s a problem with my share. is there a way to test that? (I’ve tested in smbclient and seems working) I’ve tried every technique I can find for this RFI and still nothing :confused: I know i’m definitely missing something here lol

Sounds like I had the exact same problem. Do you see errors in the log of your share?
for me the script for getting a server was the problem. the box was trying to fetch the script, but the connection got always closed.
I had to actually fireup/configure a server, and NOT use the usual script, to make it work

I am also blocked at the same point, after trying LFI, and not find the way, I tried RFI, through http server and also, I have only seen that I made connection from the server to my machine, through SMB, but, it is only the access attempt, then the connection is closed

Handle: ConnectionResetError object is not subscribable

I’d appreciate some help or a clue, to follow up.

Greetings.

Type your comment> @ShellInt0x80 said:

Type your comment> @theonemcp said:

Type your comment> @ShadowSuave said:

I feel like i’ve tried every type of encoding, wrapping, etc. at this point I’m wondering if it’s a problem with my share. is there a way to test that? (I’ve tested in smbclient and seems working) I’ve tried every technique I can find for this RFI and still nothing :confused: I know i’m definitely missing something here lol

Sounds like I had the exact same problem. Do you see errors in the log of your share?
for me the script for getting a server was the problem. the box was trying to fetch the script, but the connection got always closed.
I had to actually fireup/configure a server, and NOT use the usual script, to make it work

I am also blocked at the same point, after trying LFI, and not find the way, I tried RFI, through http server and also, I have only seen that I made connection from the server to my machine, through SMB, but, it is only the access attempt, then the connection is closed

Handle: ConnectionResetError object is not subscribable

I’d appreciate some help or a clue, to follow up.

Greetings.

try not using the script, but make a server on your own. that should work. the script doesn’t play well with the box, it seems

Finally got Root. Big thanks to @qdada and @foxlox for helping me. Had really a hard time doing this. And in the end I had to use Windows to get the payload working. But it payed off …
Hints for root: Just follow the instructions you find by the book and finish C***'s work, because someone is really eager to read it …

Finally Rooted this box! Without a doubt, one of the most interesting User flags’s ever. Gotta agree with others with the root being a bit unrealistic and often frustrating.
If someone exploited it the manual method could you please pm me? would love to understand where I was going wrong as I had to resort to the script to root.
Great box overall!

This is the first time I’m posting in the forum because this box is kicking my ■■■! I feel like I’m right up to the very last step before root and my payloads just aren’t landing…

Would anyone be willing to PM me to tell me what I’m doing wrong?

EDIT: Never mind - I got there in the end! Turns out it’s quite fussy about what kind of shell you’re trying to obtain. :wink:

im bored with the payload, i tried on 2 VMs, i get nothing

got some slightly “usable” creds, but can’t figure out privesc from ir to cs. Can someone dm me a nudge or a hint? i think it’s something to do with using my**l to get to the user flag.

EDIT: if Nish*g scripts don’t work due to A/V is there an alternative?