Hint for TartarSauce!

rabbit hole after rabbit hole so far, dis gonna be fun

I think it’s a useful exploit but still a bit confusing :astonished: Monstra cms 3.0.4 - Persitent Cross-Site Scripting - PHP webapps Exploit may I have a little bit nudge for getting shell?

I read a little bit the box is not bad and I have a time working on it a week to be exact, I like the box because it is realistic.

now the escalation of privileges is killing me I want to get the root

any suggestion is welcome

@st4rry said:
I think it’s a useful exploit but still a bit confusing :astonished: Monstra cms 3.0.4 - Persitent Cross-Site Scripting - PHP webapps Exploit may I have a little bit nudge for getting shell?

This is not a spoiler!

@Vburgos said:
I read a little bit the box is not bad and I have a time working on it a week to be exact, I like the box because it is realistic.

now the escalation of privileges is killing me I want to get the root

any suggestion is welcome

enumerate enumerate enumerate

Anyone I can PM about this box ? Im having some issues finding a way to get shell… Login wasnt too bad, but getting a shell is killing me.

Someone Please Pm me, i have found login and have tried all possible functions to change any content/ uploads to start a shell but im duckin going round in circles…

@Sakk said:

@kluo said:
any hint on priv esc? thanks

pay attention to the ‘differences’

@3mrgnc3 isn’t this spoiler ?? :stuck_out_tongue:

@3mrgnc3 It was great experience and this is my first PrivEsc of this type.
it was fun :wink:
keep make such challanges

Spoiler Removed - Arrexel

@p5yph3r said:
hii guyzz,
any hint to privesc from www-data to (spoiler) or root

enumeration, enumeration, enumeration :wink:

Please remove spoiler.

it takes to me a lot to find the right entry point. Any hint would be well received.

@n1b1ru said:
it takes to me a lot to find the right entry point. Any hint would be well received.

enumerate more…
There are plenty of hints in this thread already.

.

@3mrgnc3 said:

@n1b1ru said:
it takes to me a lot to find the right entry point. Any hint would be well received.

enumerate more…
There are plenty of hints in this thread already.

@3mrgnc3 I’m really disappointed, lol. I found 2 possible entry point with a login forms and I penetrated into one of them. I enumerated different pages and I tried to modify some resources with no success, obviously uploads and updates doesn’t work. On the other hand I tried to enter to the other one with no success .

@n1b1ru said:

@3mrgnc3 said:

@n1b1ru said:
it takes to me a lot to find the right entry point. Any hint would be well received.

enumerate more…
There are plenty of hints in this thread already.

@3mrgnc3 I’m really disappointed, lol. I found 2 possible entry point with a login forms and I penetrated into one of them. I enumerated different pages and I tried to modify some resources with no success, obviously uploads and updates doesn’t work. On the other hand I tried to enter to the other one with no success .

maybe you need to do some manual work?

@3mrgnc3 said:

@n1b1ru said:

@3mrgnc3 said:

@n1b1ru said:
it takes to me a lot to find the right entry point. Any hint would be well received.

enumerate more…
There are plenty of hints in this thread already.

@3mrgnc3 I’m really disappointed, lol. I found 2 possible entry point with a login forms and I penetrated into one of them. I enumerated different pages and I tried to modify some resources with no success, obviously uploads and updates doesn’t work. On the other hand I tried to enter to the other one with no success .

maybe you need to do some manual work?

well I’ve identifyed a vulnerable page with write permissions. I can inject some texts and vulnerable code… so far not very dangerous

hIm I’m in stuck in the enumeration… I cannot find anything useful :frowning:

@p5yph3r said:
hint if you are on the login screen , username and passwd are both visible to you.
i got it in the first attemopt, silliest passwd ever seen by me on htb,
also the file upload is a not working, nor can we create a user…
as said by sir @3mrgnc3 we have to enumerate more …!!!

It is super annoying for me. I tried common passwords, i tried custom keywords and connection is super slow :frowning:

@dmknght said:

@p5yph3r said:
hint if you are on the login screen , username and passwd are both visible to you.
i got it in the first attemopt, silliest passwd ever seen by me on htb,
also the file upload is a not working, nor can we create a user…
as said by sir @3mrgnc3 we have to enumerate more …!!!

It is super annoying for me. I tried common passwords, i tried custom keywords and connection is super slow :frowning:

I’m in the middle of this box completion and IMHO taking user is if not tricky (technically indeed not very tricky) then definitely very misleading. Box underrated in terms of points. 40 points would be way more correct here.