Need help at the root part. Can make some hits but can’t get to the final result. Please PM me if you have a time to help.
Any hints about the first step? I think I know how to get pro but missing the target you mention.
I build an identical setup at home and it works there, almost same nginx config and redis socket can be reached through the proxy and I can modify values as I like. But I can not figure out what’s different on the format host. Any hint would be appreciated…
Is someone available to discuss a working request string?
Edit: Forget about everything I told, I declare the opposite, just too dumb to add another return…
check the source code. what operations can you perform as normal user? is there anything you can take control of to leak some info?
finally rooted the machine! thanks to everyone that i got hints from! 
root was easier than expected 
2 Likes
Am I supposed to be able to access the actual blog app? Because i keep getting 504 error for any subdomain. I’ve been combing through the source code but idk what I could do without actually using the app.
Found a way to access the socket to get the pro user, but can’t continue. Should I try to use this to write something to the web directory? 
Do you got a 504 or a 502 error?
I’d say you’re on the right path. It’s how I got my shell.
Now is time to a reverse shell.
You have an access point, create some payload to get a shell
1 Like
guys need hint to access P** account
Interesting machine. Without the hints, user would have been insane for me. With hints it is still very tough with a lot of rabbit holes one could fall in. Root has a rather clear path IMHO and is quite doable. Still, personally this was more a hard machine than a medium one.
1 Like
Thanks, that did it!
Rooted the box, but I don’t understand how/why getting pro worked. I “stole” a request out of a log. If anyone can enlighten me (via PM I guess) why it works, and how they figured it out, I’d be thankful.
1 Like
Is there a way to “enumerate” for this?
you have access to the WHOLE source code, so with a bit of time you get to know everything the website does and under which conditions
you have to enumerate some c****g files and spot the error
Should the bulletproof provisioning process take place at all? The process seems not to take place and the file is not there and the uploads dir is not available. Thus no new vectors are open with pro. If just the creation and copy process fails, the only thing would be to modify the blogname, but I can not pass the checks, even if the blog is in the DB or I just don’t know a matching encoding method. So no ideas left, any hint? Thanks in advance
Process should take place, if it doesn’t something’s wrong. Both /upload and bulletproof should be there.
so the way after getting pro is uploading ? because i thought the upload part is a rabbit hole