Bounty

@Randsec said:
Unable to get anything apart from some directories. Typical crawlers are ok, or people is using another kind of tool?

Crawlers/spiders may not do anything for you…those just click on active links, they don’t really help you find directories that the server has no link to.

Any hint to what to find with dirb? Can’t enumerate anything apart a iis dir and a forbidden upload dir

@nardin said:
Any hint to what to find with dirb? Can’t enumerate anything apart a iis dir and a forbidden upload dir

Maybe you’re not looking for a directory :wink:

Maybe you’re not looking for a directory :wink:

Done that too… But I’ll try more :wink:

Can someone give me hint on the initial attack vector on this machine? dirb and burp havent given me luck in this challenge.

Kicking myself, working on RCE now. Don’t overthink, make sure to google and make sure you know the general workings of the service running

Rooted…if you’re on US VIP servers the box was very unstable…switched to EU and method I was trying for a few hours worked.

@isuckatcyber said:
@Randsec said:
Unable to get anything apart from some directories. Typical crawlers are ok, or people is using another kind of tool?

Crawlers/spiders may not do anything for you…those just click on active links, they don’t really help you find directories that the server has no link to.

Yea, I meant brute force.

@minhhungvn said:
Can someone give me hint on the initial attack vector on this machine? dirb and burp havent given me luck in this challenge.

Spoiler Removed - Arrexel

any hint on how to exploit the viewstate?

Any hints on enumeration wordlists? Tried the IIS related (hope this isn’t spoiler) wordlists inside SecLists and all I got was a forbidden directory.

Is anyone able to get a stable shell? Mine keeps getting a 500 after 2 requests.

Having trouble with PrivEsc, if somebody feels like giving some advice please PM me.

Hi,

Just rooted the machine.

@J3rryBl4nks said:
Is anyone able to get a stable shell? Mine keeps getting a 500 after 2 requests.

I got this too but after i refresh the page it was ok

@Waffles said:
Having trouble with PrivEsc, if somebody feels like giving some advice please PM me.

Don’t over complicate, find the arch of the machine and follow this rabbit :wink:

@J3rryBl4nks said:
Is anyone able to get a stable shell? Mine keeps getting a 500 after 2 requests.

Yup, very stable until someone reset the box :wink:

Just remember:

  • If you upload something and get 400 error then the upload failed despite the “success”
  • If you upload something and get 500 error your payload is wrong

Before reset the box, try with an image, if you can get it after, then Bounty is working well.

@mpgn said:
Hi,

Just rooted the machine.

@Waffles said:
Having trouble with PrivEsc, if somebody feels like giving some advice please PM me.

Don’t over complicate, find the arch of the machine and follow this rabbit :wink:

Holy ■■■■!

I spent so long on getting a stable functional reverse shell that I didnt even notice this part. Literally after you said that the light bulb turned on and and 5 min later i had root.txt

Found interesting files. Do a google search and using dirb is enough. I think this step is uncommon so maybe you could skip it (for anyone found nothing in Web Server) :smiley:

I’m uploading a file generated with msfvenom compatible with the web arch of this server, meterpreter/reverse_tcp and dosen’t work, does nothing, i tried also in one of my virtual machines with the same webserver installed on it and does not work the same. I think msfvenom has problems to generate working files for this specific web arch, has any of you the same problem?? Should i find an alternative way than msfvenom and metasploit handler to get a reverse shell??

My web shell keeps getting stomped so fast I can’t enumerate anything.

Guys I strongly recommend doing this box in a private (FF) or incognito (Chrome) window and be sure to delete all site data (cookie, cache, offline data, etc.). Once I figured this out (with the help of @im4x5yn74x), I didn’t have to keep resetting the box. I was able to recover it after it started to hang, which it did A LOT. Practically after every “major” command I ran. Until I caught onto this, I was unable to “execute” despite my other successes. I hope this helps someone.

Remix: Ok, it’s actually better without the private/incog window. That way you can delete the site data when you need to without sometimes needing to reopen the window.