Devel (HINTS ONLY, NO SPOILERS)

Hi all,

I’m stuck on the Devel machine. This is my first time doing this sort of hacking – my experience is almost exclusively web app testing and code review, so bear with my n00bishness.

What I know so far:
-There are 2 ports open – ftp and tcp.
-The FTP server allows anonymous users.
-The FTP server lets you upload pretty much anything (I haven’t found any limitations so far.)
-You can use a browser to navigate to pretty much any file that’s been uploaded using FTP. (I say “pretty much” – some of them give me 404 errors even when I run ‘ls’ on the FTP server and confirm that the upload succeeded. I’m not sure why that is – if anyone knows or could nudge me towards some resources to help figure it out, that’d be cool.)

Where I’m stuck:
When I try to upload something that’ll execute system commands (I’m mostly doing .aspx files, but I’ve tried a few other things too), I get a 500 server error.

I’m fairly sure it’s the system commands part that’s causing problems – I did some incremental testing with files starting at “hello world” and getting a little more ambitious every time. It was the ones where I tried to run OS commands that I hit problems.

Theories:
Anonymous login – do I need to figure out how to log in as someone other than anonymous in order to move further with this challenge? If so, can anyone point me towards a good technique or tool for doing so – there’s brute force, I suppose, but that seems sloppy.

Other permissions issue – is there some sort of limitation on which files are allowed to run system commands? If so, could use some tips to help me figure out how the permissions system is working and things I could look into to circumvent that.

Again, would like to emphasize: I am NOT looking for spoilers. But this is my first try at something like this, and unlike when I was getting into web apps, I don’t know of any good handbooks that cover basic techniques or methodology. (I mean, there are, but they’re mostly “how to run metasploit.” Which seems like cheating, at least at this stage.) What I’m looking for are general hints, links to resources (blogs, books, etc), that sort of thing.

You’re on the right path with the .asp techniques.