Finally rooted!
Hints:
Got root! Was able to get user via the unauthenticated way. After looking at the code for src code for the n***s way, I have no idea how I was supposed to ever get that…can someone pm me the route for that. Maybe I am not understanding something.
For user: the “basic” way everyone is talking about I believe is unintended. It’s way too simple. There is another way that you get via enum, however, I was not able to get the exploit working. Did anyone have success with this?
Type your comment> @Psycho00 said:
i need help with that rce i can’t upload my shell
Errors can lie…you might just not being looking in the right place for your shell, or not looking at the right time.
Finally got user and root, harder than expected due to it not being the most obvious attack path, though lots of learning as always.
Some great hints on this thread…it is worth downloading any source code you may stumble across and setting up your own version of the server.
Ignore time zones, think about what epoch is.
Be methodical, various hints on uploads already on here…confirm what can be uploaded with more expected files and progress from there, maybe file sizes could play a factor.
edit: The “spawning root shell” exploit work. Just that it closes immediately. Stuff it’s mouth with some “food” before it closes and u will get the reply.
Ajjjj I don’t find the correct upload_dir 
I need help <_>
I’m trying via the php shell way. I think I got my time correct (not 100% sure), not sure if I bypassed the file upload (Still says file not allowed), and have looked in the directory but still getting a “Not Found” response.
Type your comment> @BLZ said:
I need help <_>
I’m trying via the php shell way. I think I got my time correct (not 100% sure), not sure if I bypassed the file upload (Still says file not allowed), and have looked in the directory but still getting a “Not Found” response.
I’m like that too
Type your comment> @BLZ said:
I need help <_>
I’m trying via the php shell way. I think I got my time correct (not 100% sure), not sure if I bypassed the file upload (Still says file not allowed), and have looked in the directory but still getting a “Not Found” response.
same problem. how to get correct server time or its doesn’t matter?
User wasn’t that interesting, stuck on root now though…
Type your comment> @BLZ said:
I need help <_>
I’m trying via the php shell way. I think I got my time correct (not 100% sure), not sure if I bypassed the file upload (Still says file not allowed), and have looked in the directory but still getting a “Not Found” response.
same here
Maan…i synced my time…read the source line by line…and i exactly know what line plays with time and the hash… still i can’t find my shell…and i exactly know which dir i shud search for…
This thing driving me crazy…
if anyone wanna point out the error, i’ll be great full …
Type your comment> @m0f0 said:
Maan…i synced my time…read the source line by line…and i exactly know what line plays with time and the hash… still i can’t find my shell…and i exactly know which dir i shud search for…
This thing driving me crazy…
if anyone wanna point out the error, i’ll be great full …
Come on bro… I’m here to help you… Ping me?
For anyone having trouble finding their shell…confirm it works with a more expected upload, say a jpeg.
I’m smashing my head against a wall here, had a user shell earlier and grabbed the user.txt however must have been lucky - I’ve spent 2 hours trying to replicate the exploit with no luck.
Hahahaha. What a sh*t show this box was for me. I knew to attack the high port right away (the REST alternative). Took me awhile to get the query right as I haven’t done a whole lot with API’s/Query languages. Glad to have learned some about it!
Once I had those creds I had no idea what to do with them since the first time I ran port discovery, somehow a very important common web port didn’t show up in my output. When people here started talking about a web app I realized something didn’t add up and looked back at my ports to realize one was missed and that’s where the creds could be used. I used the creds and quickly realized what vulnerable software needed to be exploited. Messed with the script a little from Exploit-DB and read the web apps relevant pieces of source code on GitHub to figure out how the files were uploaded and stored. In my opinion there is one sentence that the comments in the exploit script fail to include which should mention more about an error message you receive when uploading, even if something did work properly, and that you should just keep going with the next steps of the exploit anyways.
If you really understand how the script works, and really understand how the upload works you should be able to get a reverse shell to get user. Now that I’m ready to punch my own face for trying too hard to bypass file upload filter (ha…) it’s time to move on to root. Hopefully like many have said, it’s easier than user. Sheesh.
Root took about 3 minutes. Which is fine with me after that user madness.
Can someone give me a hint about privsc? I found that misstype and tried to guess the pass, but it didn’t work
Can I get a PM for the intended path for root on this box? I am curious how that works out.
i have webapp user creds, but i cannot get the authenticated webapp exploit to work and i am unsure how to bypass the upload restriction for the unauthenticated webapp exploit.
Would someone mind suggesting a retired machine to review or some reading material?
Feel close, let me know if i am way off