I have fuzzed everywhere without success. Searching for the parameter, testing wildcards, coding the above. Surely in wrong direction.
Can someone give me some nudge in private please?
Thanks in advance.
do not send me all at once xd. 0 PM TY
@Boxito said:
do not send me all at once xd. 0 PM TY
Stop spamming. There are plenty enough hints to solve that box. Just search the forum.
tried fuzzing with wfuzz to find out parameter but no luck. any hint on fuzzing???
is it GET query string?
I can confirm that wfuzz’ing for a parameter works. You just need to keep trying different sources of dictionaries. SecLists is almost always a good choice.
i think i found the parameter 
now the fun starts off
I need a little nudge of what im looking at here. When you guys say fuzzing about parameters are you on about HTTP verbs(get etc?)
sorry i am quite new to fuzzing etc so am looking for some direction to learn towards
Hi, can anyone please PM me to clarify things? I found what i reckon is the right parameter and found some interesting stuff with wfuzz. However, I am still not quite done yet. Thx very much!
Will fuzzing work with the default wordlists in wfuzz? I’m trying to narrow down the parameter but I don’t really know what I’m looking for. All i get is 403 forbidden pages.
I have the parameter, can inject, and can upload a payload, but cannot execute. Anyone want to send me a pm to discuss this portion? Don’t need a straight answer but I need to discuss different techniques.
So I have the user.txt. Now for priv esc, any body succeeded? I have some enum details but not able to upload any shell
@FloptimusCrime said:
So I have the user.txt. Now for priv esc, any body succeeded? I have some enum details but not able to upload any shell
basic enumeration will get you on the right path
Also struggling with this one - I have the arg and am aware of how to get the command through but haven’t been able to prove any kind execution yet. I feel as though I do not understand what context the command is running in - do I need to escape from another command first? Trying to figure out how this arg is related to the page…
If someone could PM with a nudge on how to utilize the found parameter? There is no apparent change in the output with the input I give except for those that are rejected by the WAF. Any help would be appreciated.
Got it. For reference in case anyone else runs into this, my error was syntax based. Don’t assume your command is being sent in the way you type it, use a proxy and examine what exactly is sent to the target.
As for finding the parameter, I formulated a command that I thought should do something (did not result in an error) and did as others suggested (fuzz). Good luck
@Omnisec said:
If someone could PM with a nudge on how to utilize the found parameter? There is no apparent change in the output with the input I give except for those that are rejected by the WAF. Any help would be appreciated.
You should check out these blog posts
- Web Application Firewall (WAF) Evasion Techniques | by theMiddle | secjuice™ | Medium
- Web Application Firewall (WAF) Evasion Techniques #2 | by theMiddle | secjuice™ | Medium
The initial stage is all about getting the right method and combination. Try it out and then PM me if you are still stuck
@0PT1MUS said:
@FloptimusCrime said:
So I have the user.txt. Now for priv esc, any body succeeded? I have some enum details but not able to upload any shellbasic enumeration will get you on the right path
Hey so i figured something out. Can i PM u so that i dont spoil it for others
got root without shell upload. But if someone succeeded to upload shell please PM me to exchange the methods.
I think I have basic RCE (with only a very limited subset of commands and no parameters; WAF is working very well). Now I am trying to obtain full RCE. Is this at all possible? I tried any possible globbing, to no avail. Any help? PM?