Official discussion thread for Feline. Please do not post any spoilers or big hints.
Yeah, I could use a bit of help on this one, I see the obvious path for the foothold but no idea how to trigger it. Would appreciate some reading material or a nudge
FYI, sample area (upload file) is functioning with chromimum but not from Firefox for me. I’m using Kali Rolling.
Type your comment> @sparkla said:
I see absolutely nothing obvious. There’s u***.j** that’s pretty much happy about anything you feed it, except for a certain type.
I found a l******.t*t file also. Concerning the author of the website code, with a link.
Type your comment> @sparkla said:
@choupit0 said:
I found a l******.t*t file also. Concerning the author of the website code, with a link.
That’s usually just the author of the free html-template.
Yes, nothing interesting.
Does this box require setting up p**tfix or something similar? If so, could one point me to good rescources to securely deploy an S**P server? Thaks
I’m pretty sure to know what is the vuln to exploit. I know uploading a certain filetype leak a lot of informations about where the uploaded file is saved. I can upload my sed ot "son" file. But cant find the good path to make my JS*****D point to it… If someone can give a nudge. Or share some toughts.
Edit: Finally got it! Path is really helpful…
No Idea what it is doing on the backend, like folder structure to get se***d ot file
I am able to upload certain files from the service page (except image files) but I cannot find where the file is uploaded. Can someone give a nudge…
Same as above… no idea where to find/use uploaded files. Nudges please 
im tryn to read u*.j*p to see where the files i uploaded go but i get invalid request not sure if im my steps are correct or no
.
@m1r3x how did you find this kinda file, I have already used filter to extract all js files in gobuster. It revealed only u****d.js
Type your comment> @offs3cg33k said:
@m1r3x how did you find this kinda file, I have already used filter to extract all js files in gobuster. It revealed only u****d.js
nvm, I wrote wrong file name by mistake.
⠀
I can see the filepath where it attempts to put the file you upload, just have no idea how to utilize it. Any nudges?
Are we sure that there is any kind of analysis on the uploaded files ?
Rooted, great box
Got user! Very educating user process.