Type your comment> @rulzgz said:
This one is beating me, i’m stuck and a bit frustrated, i think i missed something in the way, but i cant even figure what is It. It someone can throw some light to my darkness, just to see the path and continue…
Everything began fine, the initial enum was slow but nice, everything flowed and with any piece of info i found, after analyzing and checking it, i had a mental image of the next step or what to do to keep moving forward… But suddenly, when some good stuff and interesting vector popped out… just when i had the feeling that i got the main thing… the get blocked, stucked without any clue, or what/where i need to look for next step.
Summarizing what i found:
- With many other creds i found a working user/pass, that give me db schema and data, and a compressed backup of web files. The service config seems that allow me to enumerate valid users even wihout a password, but i couldn’t find any other account.
- I was able to relate some of this files with the ones served in 80, but also i noticed there are not exactly the same, some files dissapeared, others are just different, even i found a file that looks like the main web content but definitely no t the same, because the downloaded one has a typo that will throw a syntax error.
- I played with the files i found, the purple info page, the test script, the script that trigger common task executing a shellscript file. Nothing useful found.
- Some of the dissapeared files give me the idea of what i need to search for, in the content talk about a to-do and search an opensource alternative. When i noticed that, quickly found the alternative opensource tool.
- The hipotetical creds needed to use the tool doesn’t worked as expected (previous typo error) and after some research i found the vuln, that worked fine, but i can’t get any useful info that makes me advance or even a clue of next step…
I understand the vuln, i can make It work with a fake Server and with a legit one installed for this purpose. I even analyzed the protocol packets with wshark trying to find some leak that didn’t showed in the “normal” output.
I can access any file within basedir, but with the known files and paths i only get the correct credentials to use with the tool, that only allows me to read a bunch of items.
If i try to read any file out the basedir, not allowed. Not found any way to bypass this limitation.
I tried to think in possible content, filenames, made a wordlist permuting possible files, and variations (backup, temp, old files…): http server files, config files, version control files, system files, guessed some possible files… without any single hit.And now, i’m blocked, no idea what to do, what to search for or even any hypothetical way to advance toward user flag… i’m sure i am missing something, but i can guess where, when or why…
Any clue or suggestion of what to do or what to try? I’m very frustrated, and the feeling that i’m close or the missing piece it’s some crystal-clear-stupid-small-obvious thing… it’s killing me.
thanks
Hey @rulzgz , in that “compressed backup of web files” there is a “main” file that you need to look into; it is evidently outdated, but now you have a way to get the latest …/bye!