Finally 
Google is your friend for file locations. You can then get someone to send the contents to you.
Thank you for your tips! I got it!
@baadam
If somebody else have questions for this machine,feel free to ask me 
1 Like
Thank you all for the tips!
1 Like
You are very welcome!
DONE!!
Got the payload and my remote server, I upload de payload for the admin and still cant get a single packet into my nc
Hi there! I discovered the vulnerability, but when I upload the payload in the required file type and set up a listener, even after sending the link to the admin, I don’t receive a single packet back. The port is correct, and so is my IP. What could I be doing wrong?
The best hints have already been posted above.
For the initial foothold:
Search online for where credentials could be stored for the specific server the website is running.
For root:
Look at the processes running and see if there’s a way to run a reverse shell.
Feel free to dm.
Hey all!
I might be way off here, but I’ve managed to craft a payload in an .md file and I can get a connection back to my attack-box, but can’t figure out how to parse the response/get the content of any files.
Using nc or python http.server I simply get the response, but with no file content.
Any hint is appreciated.
Hello, I’m stuck on the .md file, I don’t know what to do with that can u help me plsss
Is there anybody I can DM? I have one question regarding foothold
Made that .md script and got the user hashes, took a little help from john and finally got into it.
But now I am stuck with the root 
, any hints what to do next?
I was able to get response but the response is empty I was not able to get the initial hash from the folder
User: Think about what sensitive files that exists on the system
Root: Interesting running process
1 Like
Can I have some hints about the foothold (Please). I’ve identified the vulnerability on the view MD and i can get the admin to click on it.
I am struggling to exfiltrate useful information.
Are you test the payload on your local network? 