Stratosphere

i got command execution RCE, but now i’m stuck, tried reverse shell but i failed. any hint?

I don’t know if reverse shell is possible in this case. RCE doesn’t automatically lead to reverse shell if the machine doesn’t allow opening outbound connections back to the attacker’s machine. If the machine doesn’t allow incoming traffic on ports you can bind, then you have RCE and have to live without a cool shell access.

(Of course I might be wrong, just got RCE an hour ago or so, but it would appear to be that way. I haven’t exhausted all the possibilities for this.)

Could somebody PM me about an usefull wordlist? i have run fuzzdb and seclists. There was no action for me. Also no world greetings =(

Try to use dirbuster-medium wordlsit

You can PM me if needed for help :wink:

Edit : dirbuster list is cool :wink:

So based on all the comments here I have found its vulnerable to RCE and can confirm this be getting an evaluation back. What i’m struggling with is how this is used to browse file system. Cant get any further. A pointer in the right direction would be great. Or a DM if its easier. Same username on Netsecfocus

Any hints with restricted shell? I can’t even access user.txt. I know about r****** user but can’t access him. Also just as mentioned reverse shell/bind shell/wget not working.

can anyone pm me and help me to get user.txt?already rce

stuck with the python script , do i need to find a way to edit the file or i must create a script and run it within ?

Awesome Challenge! remember to enumerate “everything” :wink:

@vulntor said:
can anyone pm me and help me to get user.txt?already rce

alreay root. learn many

I have been sitting with this box for days. I have RCE if anyone would like to give me a nudge in the right direction it would be very much appriciated :slight_smile:

Same as above. Got RCE. Enumerating. Cant seem to find creds that do anything. The creds I have found dont appear to work anywhere. Ideally ssh would be good! Any nudges going free …

@FloptimusCrime said:

@NINGEN said:

@FloptimusCrime said:
The q4 is making me mad. Anyone with leads on this? Please PM me

There’s a specific format that you need to use. Look for a command in john that will list out all available formats.

I got root without solving the puzzle. :smiley:

Same here.

All in all, it’s an easy box. Everything you need is right there, in front of your face … some rabbit holes, yes, but I guess they are easy to spot… Don’t bother trying to get a reverse shell, though, RCE is all you need…

@socialkas said:

@FloptimusCrime said:

@NINGEN said:

@FloptimusCrime said:
The q4 is making me mad. Anyone with leads on this? Please PM me

There’s a specific format that you need to use. Look for a command in john that will list out all available formats.

I got root without solving the puzzle. :smiley:

Same here.

All in all, it’s an easy box. Everything you need is right there, in front of your face … some rabbit holes, yes, but I guess they are easy to spot… Don’t bother trying to get a reverse shell, though, RCE is all you need…

Agreed. Everytime I think that my attention to detail is spot on…something like this box comes along. A very good and enjoyable box!

Like many here, I have RCE, pretty much know reverse shell isn’t going to work, and have enumerated all over the place finding a few creds but they don’t seem to work anywhere. Can someone please PM me with a nudge to get to a shell somehow? Not sure why I am having such a hard time on this one but it’s kicking my ■■■. Thanks bigtime in advance.

I think I found what I need to be exploiting for RCE, but I’m not sure if I’m doing it on the right page. Is there a way to identify if this is a problem, or is it just trial and error?

you could try sleep as the payload if you are not getting output back but want to verify that remote command is executed. sleep(2), then sleep(5) and after a few requests you can be fairly certain if the commands are executed. Obviously you need to get the output somehow, but it’s easier to work if you can first verify the execution happens.

Hello, I haven’t got RCE yet, but I think I am on the right track. Can anyone pm me so I can confirm whether I am going in the right direction?

Having trouble with exploiting the vulnerability. I have the exploit. Whenever i try to exploit it, either using the POC or manually using burp, it gives 403 errors. Don’t know what I am doing wrong. A hint would be appreciated.