Bounty

joesch · September 14, 2018, 1:46pm

Has anybody a hint for me about how to find the directory where the uploaded files are being stored?
Thanks

Underworld · September 14, 2018, 2:05pm

Gobuster and dirbuster are useful enumeration tools

joesch · September 14, 2018, 2:14pm

That’s what I already did. (with and without file extension parameters,). But I haven’t found anything apart from the aspnet_client folder, which I am not allowed to access.
Btw. I also tried different wordlists (common.txt, big.txt ), but nothing seems to work…

joesch · September 14, 2018, 2:56pm

@joesch said:
That’s what I already did. (with and without file extension parameters,). But I haven’t found anything apart from the aspnet_client folder, which I am not allowed to access.
Btw. I also tried different wordlists (common.txt, big.txt ), but nothing seems to work…

Aaah, finally found the directory.

itsnemesis · September 14, 2018, 7:28pm

This machine is terribly unstable

Underworld · September 15, 2018, 3:58am

I’m not having any luck with getting RCE to work. Could any one give me any tips? I believe I’m bypassing the extension correctly.

Thanks!

Underworld · September 15, 2018, 5:07am

Actually I think ive found out what to do for RCE

OldProgrammer · September 15, 2018, 7:20am

Rooted, good box !

theTonganNinja · September 16, 2018, 1:55am

Hi all,

Can I PM anyone to bounce some ideas off on how to gain an initial foothold? I enumerated 2 directories and trying to figure how to leverage what’s there…

Thanks

Underworld · September 16, 2018, 4:28am

Rooted. User is tougher than root.

darkhack · September 16, 2018, 12:50pm

I am new to here and decided to start from bounty machine… But need help from where to start… can any1 help me out…

petelska · September 16, 2018, 12:57pm

seriously dude? try page 1

grd · September 16, 2018, 1:42pm

Can someone please give me an hint on which payload to use?
I got RCE and I can run basic commands but I can’t get a shell and some of the outputs are not shown. I always get error 500. Tried powershell one liner, msfvenom asp/aspx payloads, and similar bind/reverse shells found on google, but no success so far.
I feel pretty dumb since this box is marked easy, yet it’s giving me more troubles than more complicated machines.

Also PM is appreciated!
Thanks

9999volts · September 18, 2018, 1:47pm

Can someone give me a hint by pm? I got user. I have rce, Now, im trying upload a nc but file writing is failing, maybe permissions, i dont know the right dir to upload. I did try powershell rev, but im failing. Am i in the right path?

zomfgzombie · September 19, 2018, 12:55pm

EDIT: Found a working delivery mechanism.

supercop89 · September 19, 2018, 2:08pm

Got user and root in one hour. Very nice idea and box. Great

D4Vinci · September 19, 2018, 3:10pm

Can anyone help me with an initial foothold because I can’t find the upload file?
Tried a lot of wordlists and only found two dirs aspent/ and up**es/ and can’t use them of course

Underworld · September 19, 2018, 6:09pm

@D4Vinci said:
Can anyone help me with an initial foothold because I can’t find the upload file?
Tried a lot of wordlists and only found two dirs aspent/ and up**es/ and can’t use them of course

Have you tried enumerating for files to go with your folders? What extensions go with that type of webserver?

D4Vinci · September 19, 2018, 7:32pm

@Underworld said:

@D4Vinci said:
Can anyone help me with an initial foothold because I can’t find the upload file?
Tried a lot of wordlists and only found two dirs aspent/ and up**es/ and can’t use them of course

Have you tried enumerating for files to go with your folders? What extensions go with that type of webserver?

It’s aspx files I know, the problem is I can’t find this aspx upload file. If you can tell the wordlist you used, or the file name directly , would be a great help from you

9999volts · September 20, 2018, 12:51am

HI guys, i got rce and stable shell. Any hints to root it? Msf Bypassuac is not working. Please pm