User - you’ll find a good blogpost, it will reveal what you have to do, but won’t tell you exactly how to do it. Keep it simple and read documentation + the code so you know what you need to send for it to be executed.
Privesc - The path is as straightforward as it gets, after analyzing it you can then search for how this type of vulnerability was exploited in the past.
Some trial and error was necessary when writing the exploit for both parts, be persistent and don’t overcomplicate things.
ROOTED!!! Shoutout to @netika for their huge help in not just getting me to compromising User, but how it worked, and why. That was invaluable in getting root. As always, DMs welcomed for nudges, just include what you’ve found so far, what you’ve tried, and where you’re stuck.
If you’re talking about the foothold, it’s a client-side exploit. Look for other web services on the machine and you will eventually find some information about a server script that regularly runs tasks meeting certain criteria
I’m stuck on getting foothold,
From what I have been looking at since yesterday!, clearml has vector attack where we can replace a file content from on the file server to get REC. I have tried chatgpt to create a script to replace content from json file within python script to get RCE. But it fails to connect to clearml even tho I used the access and secret keys
Any tips to move on would be appreciate it!
Have you tried the procedure in just like it was in the website?
That should help you get the script to work, after, just go by some tweak here and there.
And go by the hints of @TheKeen and @0xalam
I had tried not using ChatGPT but in the end, had to use it to resolve some issues that were happening to my artifact.
Bro, I was able to upload shell.py file to artifact but when I visited the link it download the file not executeing what is on the file I uploaded which is a RCE code !
I got stuck on the privesc for a while… I thought it was required credentials to run the sudo… I didn’t know that the sudo allowed command could be used with masks… (wildcard). I thought the binary was all that mattered… I learned the hard way… but this was an awesome machine… I really enjoyed it…
Hey man, well I have a question and it is that I found a service in a subdomain and I am trying to exploit it with NoSQL Injection, but it doesn’t let me install the tool or I don’t know what CVE can be used, any clue or something please hehe
A couple of people have been coming to me asking with pretty much some of the errors I was committing, so I’ll try to set up some hints:
Someone said “code analysis” and the box is pretty much about this
The attack path mentioned in the article is that you have to upload a malicious artifact, that upon another user utilizing the “get” method deserializes your artifact executing your malicious code.
There is a project with a script running every couple of minutes. Try to see if you can use it in your advantage. Again, “code analysis”.
After uploading your artifact, check on the console what error the script will throw and adjust your payload as expected.
