FluxCapacitor :@

Omnisec · March 14, 2018, 6:19pm

@davidlightman Even basic RCE is enough to complete this. However, it is also possible to do what you are trying to do. Feel free to PM. However, I think there is enough information here to solve.

P.S. Works without globbing as well.

davidlightman · March 14, 2018, 8:16pm

@Omnisec said:
@davidlightman Even basic RCE is enough to complete this. However, it is also possible to do what you are trying to do. Feel free to PM. However, I think there is enough information here to solve.

P.S. Works without globbing as well.
Thanks. I got the user flag. Working on the root flag right now.

meni0n · March 15, 2018, 2:15am

Can someone help me out, I am not sure how to properly fuzz /s??? send me a pm please

m3ntawa1 · March 17, 2018, 10:55pm

Beware of certain HTTP clients in your attempts!

Some HTTP clients do not respect your wishes!

As already said, check with Burp if the parameter is being sent exactly as intended!

I spent several days to find out this issue!

Thanks so much FloptimusCrime for the tips!

mokrea · March 20, 2018, 12:26pm

Can someone tell me if I’m in the road? I have trying to insert a t?m??t??p in my requests to /s??? in burp suite… I’m getting a t?m??t??p response. that’s it?

KnightGuard · March 22, 2018, 2:18pm

Anyone able to confirm if I am heading in the right direction? I believe I’ve found the param though having trouble getting a direct or indirect response. I’ve read the guides provided on this thread.

x0xxin · March 24, 2018, 2:19am

I’m stumped with this one. I understand how WAF bypasses work, but I am failing to find a param to fuzz. I’ve thrown some random post params based on certain comments and successfully use a GET to see a timestamp. I am missing something obvious and it’s killing me.

hexiburner · March 24, 2018, 9:11am

I think I have the param, as a get a different response when sending a GET, but still cant get the right syntax to go any further , have read the articles on WAF ,lots of access denied. Any tips, please

KnightGuard · March 24, 2018, 1:13pm

@hexiburner said:
I think I have the param, as a get a different response when sending a GET, but still cant get the right syntax to go any further , have read the articles on WAF ,lots of access denied. Any tips, please

Consider what inputs you were giving to that param, and what could be worth injecting to see a valid response.

For those that haven’t got the param, be methodical. Consider what input is likely to generate a different response (error).

From experience, don’t focus on globbing too much (like I did initially), think about what techniques you’ve learnt from the articles to do WAF bypassing.

hexiburner · March 25, 2018, 5:03pm

Cheers Gear01, I shall persist!

MalwRecon · March 27, 2018, 6:26am

somebody check me whether correctly I found parameter . PM pls

FlapJack · March 27, 2018, 6:39pm

Hello everyone! I would highly appreciate it if someone could PM me with some hints. I want to tell you what I found so far without giving any spoilers on this forum. Thank you!

s3b4stian · March 28, 2018, 7:31pm

Finally got user.txt

s3b4stian · March 29, 2018, 10:41am

I got a shell!

s3b4stian · March 29, 2018, 12:03pm

I got root.txt!

binthrust · March 29, 2018, 12:58pm

hints on the parameter fuzzing is much appreciated

abogaida · March 30, 2018, 12:53am

I would love a hint too on the parameter… I ran every wordlist I could find.

ar33zy · March 30, 2018, 7:19am

Please help in the parameter, i don’t get it. Please PM

binthrust · March 31, 2018, 9:51pm

got the param, injecting and just getting back an empty response… its killing me

S4ck · March 31, 2018, 11:17pm

@binthrust said:
got the param, injecting and just getting back an empty response… its killing me

by pass the WAF using what u can learn on the creator’s blog