CrimeStoppers

I probably am in the same place as the previous posts… I can read some source code, and i got direct access to the file tips I upload. Payload in the files however does not want to execute. Anyone willing to pm a nudge? Thanks…

The payload must be “handled” properly. I had to use the editor in the proxy to tweak my upload request after sending it from curl.

This thread now contains multiple hints. Thorough research for all possible ways to get execution with the site’s technology is useful.

@windsurfer said:
I probably am in the same place as the previous posts… I can read some source code, and i got direct access to the file tips I upload. Payload in the files however does not want to execute. Anyone willing to pm a nudge? Thanks…

modify the post payload according to the hint in the source code…

Hey can I get some hint, I am drawing absolutely dead, cant even locate the files being uploaded.
I know the type of attack we need to perform but nothing is working.
Thanks

Okay i was able to read the source codes for the file as well the darkarmy message.
But not able to upload files for RCE. Anything there??

The source code comments suggest that RCE is tricky and also gives some hints about the right/wrong idea to get RCE. You said that you know the type of attack, but are you sure you have analyzed all the different paths to RCE with the programming language that site is using? This is a bit exotic, but not obscure. Well documented, just not the most popular RCE path and the most popular paths do not work in this case.

Hey guyzz …!! stuck on the initial stage , read the first hint by W!@#$r0Z.txt , then according to it got a parameter which says that "Its *** **'s ",
am I on the correct path,
i think it will lead me to a sourcecode disclosure smthing…idk yet
some hints are welcome,
Thanks …!!!
@lokori @abogaida @3mrgnc3

@p5yph3r said:
Hey guyzz …!! stuck on the initial stage , read the first hint by W!@#$r0Z.txt , then according to it got a parameter which says that "Its *** **'s ",
am I on the correct path,
i think it will lead me to a sourcecode disclosure smthing…idk yet
some hints are welcome,
Thanks …!!!
@lokori @abogaida @3mrgnc3

Unfortunately I do not have a shell yet :frowning:

Do you mind if i pm you ?
@abogaida

Could anyone point me in the right direction in regards to looking for the initial entry point? I can send you what I have so far over PM to avoid spoiling it for others!

@druid there is a way to read source files with some tweaks.
check this “https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

Thanks @kamalawy, I’m struggling to even find the right parameter :anguished:. Guess I’ll just keep poking at it, but feeling veerrry lost with this one.

@kamalawy said:
@druid there is a way to read source files with some tweaks.
check this “https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

all I get is a comment over 90s

@macw141 said:

@kamalawy said:
@druid there is a way to read source files with some tweaks.
check this “https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

Have it, great tip! Thanx! Did not try earlier this way.

I think this is my favorite htb… great box all around

I did not get priv escalation till now, i found some files that talks about malicious plugin, but could not figure out how to use it. any hints/articles will be appreciated.

Keep getting “No such page”. It seems like I’m doing everything right, obviously not though. Could use a hand if someone else had the same issue.

know how to read the files, but can not leverage this to execute something. can someone pls pm me?

@vulture said:
know how to read the files, but can not leverage this to execute something. can someone pls pm me?

Everything you need is already posted here.

Spoiler Removed - Arrexel