Bounty

simonrdavies · July 10, 2018, 9:21pm

@0x23B said:

@panic said:
FINALLY GOT IT. Literally the last possible thing I could try, worked. It was in my OSCP notes all along but I’d never actually used the specific technique… ■■■■ it. Lol.

Do you have any hints for people, who do not have your OSCP notes? I got the idea, how to upload the file and what is necessary to execute it. But can’t manage to embed the payload within that particular file and have launch a reverse shell from that.

I would also appreciate a nudge on file upload. I have found a couple of allowed formats, but not sure if I can use them

Baburao · July 11, 2018, 5:11pm

Rooted, finally. pm if anyone needs hints

techdad · July 11, 2018, 6:29pm

I have nt authority\system … but website says the hash I got is not correct for Bounty… hrmm… do I need to hunt around? or is something messed up?

amshusky18 · July 11, 2018, 6:37pm

Got Root! Great machine!
But can someone please pm me how you got meterpreter session? I was not able to get meterpreter at all…

meik · July 11, 2018, 6:59pm

First I tried to upload some webshell but I couldn’t manage to get it executed, so I tried some hello world script: same (http error 500)

techdad · July 11, 2018, 7:06pm

@techdad said:
website says the hash I got is not correct for Bounty… hrmm… do I need to hunt around? or is something messed up?

Predictably, after a reset I got a different hash that was fine.

To whomever uploads a modified flag file: you are a ^%&@%&#^%@&%**QWE&^*E!

p1d0f · July 12, 2018, 9:49am

the box unstable

Dltd · July 12, 2018, 10:28am

@p1d0f said:
the box unstable

I think it is more the users/attackers that make it so when trying the same as you are doing

0x23b · July 12, 2018, 6:56pm

I am still working for several days now on this box, trying to get a shell running. I’ve tried several ways, but none of them work. My meterpreter shell gets the connection but quits after “Sending stage”, another reverse shell closes also immediately.

I know the server, the supported file type and the supported language, but the reverse shell part drives me crazy… Any hints?

yyhh01 · July 13, 2018, 6:25am

Reverse shell seems a little bit tough and unstable.

einfallstoll · July 13, 2018, 7:21am

I finally got the user and want to share some important steps with you

There are some rabbit holes!
Do a proper enumeration
When you find out what kind of data can be “injected”, you’re probably on the right track, keep going, there is more
It’s very easy to verify RCE (like “copy, paste, verify” - that kind of easy)
Now you have to find the right payload, which is not that easy, but possible. Shorter payloads will help you understand issues

kiriknik · July 13, 2018, 12:07pm

Can anybody pm me,im so stupid-i can upload files,but cant take a shell or smth like that(

bynx · July 14, 2018, 7:39am

@kiriknik said:
Can anybody pm me,im so stupid-i can upload files,but cant take a shell or smth like that(

PM’d

HLOverflowww · July 15, 2018, 4:41am

can someone PM me on what kind of payload should i upload?
I found a few extensions that are whitelisted but am very lost on what to do next.

nscur0 · July 16, 2018, 8:47pm

I struggled with the user portion because the way it’s supposed to be done is not that obvious imo - probably a good thing for a challenge lol. Privesc is trivial though.

puerkito66 · July 17, 2018, 1:37am

can’t even get the initial foothold haha :''v

deadbear · July 17, 2018, 4:52am

I’ve found where I can upload, and where my uploaded stuff goes to. I have not been able to get RCE from there though. When I bypass the upload filter a few different ways I just get 404 at their destination, or non executable payloads. Any hints on what I might be missing, would appreciate any guidance.

dhar40k · July 17, 2018, 12:19pm

@deadbear said:
I’ve found where I can upload, and where my uploaded stuff goes to. I have not been able to get RCE from there though. When I bypass the upload filter a few different ways I just get 404 at their destination, or non executable payloads. Any hints on what I might be missing, would appreciate any guidance.

same situation here, can someone pm me for help ?

drifter · July 18, 2018, 2:34am

@dhar40k said:

@deadbear said:
I’ve found where I can upload, and where my uploaded stuff goes to. I have not been able to get RCE from there though. When I bypass the upload filter a few different ways I just get 404 at their destination, or non executable payloads. Any hints on what I might be missing, would appreciate any guidance.

same situation here, can someone pm me for help ?

Perhaps others found different solutions, but what worked for me was not trying to bypass the filter at all. I Just uploaded the file it will accept and put minimal code into that file.

For those who are struggling to get the initial foothold, be assured that I struggled for a very long time to get user on this box, and it was a great learning experience. If you’ve enumerated enough, the clues given in this forum are enough to get you there.

NO53LF · July 18, 2018, 3:50am

Maybe it’s the type of file you’re uploading… Maybe it’s less common file extension and can run from that file directly