Official Freelancer Discussion

FroggieDrinks · June 3, 2024, 12:55am

Yeah I just did another box a couple days ago that abused the profile picture and im kinda hung up on it that attack vector

I didnt know much of IDOR Vulnerabilities and am reading up on that. That looks more like the correct path like you and @tekila84 said. Thank you.

vanatka · June 3, 2024, 4:22am

i cant run nc to get shell it say The system cannot execute the specified program

assquired · June 3, 2024, 4:36am

Look for a tool on the admin page you found

MahiAsl · June 3, 2024, 7:20am

qr scan what next

MahiAsl · June 3, 2024, 7:57am

login as employer account after recovery what next

piyush · June 3, 2024, 8:14am

Hi, can anyone tell me how to figure out the admin’s user id for the IDOR vuln?

0xalam · June 3, 2024, 9:59am

Hi tekila84,
I’m stuck with initial foothold any help would be very helpful.

Thanks

0xalam · June 3, 2024, 10:00am

I’m stuck with initial foothold, please help

Sp00n3r · June 3, 2024, 11:07am

If anyone can give a nudge I’d appreciate it. Stuck on initial foothold, I have an employer login and I’m working on the IDOR but I’m stuck trying to parse the correct otp link to get admin; cyberchef is only getting me so far

Aleee6 · June 3, 2024, 11:30am

Totally clueless on user xD
Am i blind? No useful privs on svc acc, cant see vector xD
Is it AD related?

tekila84 · June 3, 2024, 12:18pm

Try enumerating for some files

piyush · June 3, 2024, 12:42pm

Hi, how to figure out the admin user id for performing idor attack?

Aleee6 · June 3, 2024, 2:11pm

You can find ids by profile image urls. Or blog, comment, click username. Then burp intruder for example

SpnMonkey · June 3, 2024, 2:23pm

Was able to login as admin on freelancer site, but really stuck on where to go from here. Having his account doesn’t offer anything…

tekila84 · June 3, 2024, 2:29pm

You have to login to the brutefored directory, and there you will find some terminal

Sp00n3r · June 3, 2024, 2:30pm

nvm, we got it with some help from @hiperlinx - working on getting a shell now.

mokko · June 3, 2024, 3:03pm

Anyone knows where I may read up on antivirus evasion techniques?
What are the common tools you use to get a a reverse shell that does not get detected?
I have been using all sorts of combinations of encoders from msfvenom to no avail.

redspider · June 3, 2024, 3:27pm

there is one base64 string you can try idor with it i am also stuck on it trying to use it with intruder always the different result

SpnMonkey · June 3, 2024, 3:49pm

SQL terminal is killing me. Current user has no permissions. Any tips on priv esc here?

bsnun · June 3, 2024, 3:54pm

Still can’t find any IDOR with success response.
Had a base64 token that partially decoded to something readable yesterday, but now nothing.

Topic		Replies	Views
Official Analytics Discussion Machines	245	11601	May 12, 2024
Official Mist Discussion Machines	25	2603	October 5, 2024
Official Cerberus Discussion Machines	211	10186	July 25, 2023
Super frustrated but probably easy to fix Machines	6	691	January 31, 2018
Official Resource Discussion Machines	156	4510	November 23, 2024

Official Freelancer Discussion

Related topics