Hello! Its the first box i am doing. I read all hints here but still I cant find the correct CVE for user. After founding 2 error messages I narrowed the list of CVEs.
I have focused on a specific blog post and a corresponding github example, but I cant perform any RCE. So i have 2 questions:
Can I PM someone so I can make sure that I am working on the correct CVE?
Do I have to pass my exlpoit through burp? I was passing my exploit through the web form. Will burp make any difference? If yes, why?
Rooted. I do have a question about getting root though, I found that thing that repeats. It made sense. But where is it stated that it repeats? I just assumed.
Got user, then root, after a bit of fiddling with the payload. Enjoyed this one - worth getting to know how this really works, and how significant this class of vulnerability is.
I found java POC code, I think it’s for the right CVE. But I get errors when compiling. Can I get a hint?
You shouldn’t need to compile an attack for this. You can use an injection which calls your attack file.
i saw your post and i said, i did this but why it didn’t work at all? hmm…
then i spend a little more time tweaking my inject script, and foolishly after examined it more closely i got a stupid typo on it.
thanks @TazWake your post keeping me in the right track.
and rooted!
now ready to help anyone,PM me for any hint or nudge
The foothold of this machine was unexpected to me but it taught me to look at errors in my validation payloads. After searching errors you will probably reach j*n r g****b pa so just implement it with little modifications.
Root: enumeration scripts will show you unexpected file…
If anyone needs help can send me a PM.
I am getting a weird fail message. “lock: 3 exclusive write lock requesting for SYS” when trying to reverse shell? Anyone knows what is this? I googled it but couldnt find something
Hello!!! I’m a beginner and learning the methodlogies…Could u please anyone help me for reaching out the Time…I have done enumeration …But I’m unable to find out …
Hello!!! I’m a beginner and learning the methodlogies…Could u please anyone help me for reaching out the Time…I have done enumeration …But I’m unable to find out …
You will need to find a vanurability of the website. Try different inputs and you will see some errors. Googling the errors will get you the correct CVE.
(note: I tried many different CVEs to find the correct one.)
This is not a good box to start on. It is rated medium, but I would suggest that is down to how you don’t really need to create much unique code. It is not easy.
I have googled all that I can understand and I would love a PM if anyone is willing to nudge me in the right direction
The basic advice is to google the error message, read the results, try something else. If that generates errors, google them and so on.
Eventually, this narrows it down to an exploit that - with a bit of modification - becomes successful. It is likely to need a fair amount of trial and error.
I actually gotten around to that and googled the error messages. And I found the right CVE I believe with all the hints. Now I guess I will have to figure out how to modify the exploit…
I actually gotten around to that and googled the error messages. And I found the right CVE I believe with all the hints. Now I guess I will have to figure out how to modify the exploit…
Awesome.
One of the frustrating aspects of this box is that all the answers are actually on the GitHub page but because it talks about a lot of different things, it can be really, really hard to work it out.