Official Chemistry Discussion

ı solved, my linux distros firewall has blocked external connection :angry:

I never heard of whatweb! it’s installed on Kali by default, sheesh…

Thanks

I have foothold but could anybody explain why only specific reverse shells work ? Is this some sort of security feature built into Linux or python ? How did you guys know what shell to use and what would work ?

Not sure where I’m going wrong here, or even if I am. I’ve been able to access the low-level user and enumerate ports and services, even have the aiohttp PoC that corresponds to the service version. Whether I curl into the service as Rosa, or whether I use the SSH port forwarding to browse the service that netstat reveals, the PoC doesn’t give anything other than 000 or 404 response codes. Going to bed, brain is scrambled.

Nvm, I figured it out. The PoC script needs to be modified to suit the directory structure and port of the app on 8080. Nmap and Feroxbuster did the trick for finding that info. It was also useful to me to modify the script so that the successful command is echoed to the prompt where it can be copy-pasted for ease of manipulation.

Pwnded. Thanks all for the tips.

I used LFI/Directory Traversal

my sequence is wrong. i wasted my time on initial foothold going immediately “inside” using an exploit though i initially got that “file” by fuzzing. when you get that “file” crack it. but maybe still going into the server on my initial foothold helped me atleast to see who among them to focus with.

once inside using user:pass, enumerate enumerate enumerate. you’ll see something that’s only accessible from inside. configure your ssh to be able to access that local thingie. you might fall to a rabbit hole at first because of fuzzing but enumeration on the forwarded port will lead you to read something about a version that allows you to read local files (LFI) that’s not accessible by “user:pass” normally. play with the script and remember directory of fuzzing the forwarded port. !!got r00t.

My hint for this box is to remember that pocs often needs a tweak to work properly.

You don’t have to run an exact copy of the environment if you can find out what part makes it vulnerable, copying a function to your own test script works too. You might find an issue you didn’t expect with a payload.

This is the real answer for why the “exploits” aren’t working for root. It seems there are multiple versions of exploits out there, such as some python ones, which don’t actually send the path as-is; they normalize the path.