(Quote)
I tried same thing and added debug lines. I don’t get to end, but the shows lack of cookies, so I too think this is the wrong route.
No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong?.
Hope it’s not a spoiler and we figure it out soon!!!
rooted, fun box! a tip for the exploit that helped me was to really read it all and see what it’s initially doing, then look through it a little more and see what arguments can be made to make it really run how you want. root is a lot easier than user IMO. pm for hints but let me know what you’ve done/tried so far.
Once you’ve got creds for the site you don’t need to use the full POC that presumably most of us found for RCE. You can just use the admin portal to do everything its doing manually (just copying the payload part itself and modifying it to suit whatever you want to run). This way you don’t need to worry about any cookies or viewstate stuff and can just focus on the payload
(Quote)
I tried same thing and added debug lines. I don’t get to end, but the shows lack of cookies, so I too think this is the wrong route.
No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong?.
Hope it’s not a spoiler and we figure it out soon!!!
the injection point is browsable so i think it is correct
For anybody who thinks that the “Start End” exploit isn’t the right way: It is! I personally had no problems with cookies or anyhing.
(hope that is not a spoiler!)
I was able to achieve some info on burp, but I had to manually add in cookies that weren’t setting. Not getting to execution still. Any help appreciated; not the easiest green box
@calamaris I switched my VPN to the US servers instead of EU and now the port is open (and useful). Thanks to @akatsuki and @roelvb for messaging me to say that port should be open
I’m in the US free VPN and nothing, the port is closed, already reset the box
Please help me with user.
I’ve got username (s****) from one of the file and also got login portal.
I’ve tried password bruteforce using Hydra, but no luck.
Is there anything else that I am missing out for the password?
i’m also in the same boat as you, got users and a hash for the password. but cant crack it with hashcat. have you been able to crack it. Please PM how you did it
One is very clearly intended and relates to the name of the machine. The other I’m not so sure (but after speaking to a few people, seems plenty of people have done it that other way).
If you want to start a new process, how else are you going to specify that without a file name and arguments?
Thinking from a windows box, if I want to run calc.exe, I just type it in the run box. I do not have to open a command prompt to say to open calc. Thanks for your reply though.