great, thanks for the hint! I have a hard time recognizing rabbit holes…will try the other attacks
the form on editorial.htb/upload has the entry bookurl. somehow this is not transferred for me. i also don’t see it in the traffic in burpsuite. however, i see all other entries from the form. What am I doing wrong?
Are you capturing the request when you hit the “preview” button It should be in there.
I’ve used the thing to find the thing which contains the info for all the other things.
But I can’t figure out how to further use the thing to leverage the info about other things.
Can anyone give a nudge?
any hint for dev to prod?
Enumerate some hidden folders. Youll find some intereseting information using git
i can get it to call back home but really can’t see what’s different from the normal upload, would appreciate any hints.
thanks…
I’ve got the prod user and now I’m just trying the perfect command to get root!!
There is a lot of hints in this forum already (which helped me a lot), but I will tell about my experience.
User: even though I spent a bunch of time stuck here, I really liked the technique. There isn’t much you can you on the website, so focus on the one and only endpoint you will have that allows interaction from the server. I suggest you to setup a local python HTTP server and use it to serve some images as book covers. Observe the behavior of the application. You’ll soon realize that it does exactly what is described by one of the OWASP Top 10 vulnerabilities. After that, notice how the response changes accordingly to the resource you provide, and it will be enough for you to enumerate the application. As said multiple times in this forum, you don’t need a specific tool, so use the one you’re more comfortable with. In my case, I’ve used ffuf (you can use a HTTP request as a parameter and input the payload in there), and found what I needed pretty quickly.
Root: just don’t go too far from home, or you’ll get lost quickly. Git is a Version Control System tool, which means that you can either push new versions of a software or even rollback to a previous version. Just play a little bit around it, and you should get what you need to take a step to the side. After that, you’ll manage to get the root flag with a quick search.
Nice box, appreciate the hints from you guys, and thanks to the creator!
GG
Cool Box!
User part is especially educational.
Sadly to say, sometimes the machine needs a reboot to reach the initial foothold.
Bugbounty hunters gotta love this one!!
nice one.
Anyone having errors when running the root exploit? mostly just cant reach remote… Can DM for more clarity