look if you can run SQL commands as another user. I’m struggling with the next steps, getting a reverse shell
1 Like
you need to impersonate someone, and then enable xp_cmdshell google book.hacktricks.xyz site there you can find something about SQL
Anyone that needs help with getting into admin on freelancer. Dont waste a lot of time on rabbit holes. Its really simple doesnt need any tools to exploit.
Hiding hint in case anyone still wants to find it themselves.
Summary
Youll find the number by performing some manual easy IDOR on the jobs board. Dont over think it.
After you have your number youll need to do something with that a little magic maybe. Some encoding 
Other hints above have pointed to where inside the profile youll need to do this. The QR code might hold a hint. Once you put those 2 together youll be logged into admin on freelancers profile page.
Aftewards youll have that session in your browser. Just look for other directories to pivot to. 
1 Like
Can anyone tell me why I keep getting “syntax error” when trying to use sp_configure. I am impersonating and can run cmds but, wheni try to trigger the revShell i get a warning that xp_command is disabled and get a syntax error when trying to enable it. So confused.
1 Like
This is where I find myself too. I know what I need to do next I just can’t seem to, ya know, do it. lol
| Column 1 | Column 2 | Column 3 | Column 4 | E |
|---|---|---|---|---|
| name | minimum | maximum | config_value | run_value |
| xp_cmdshell | 0 | 1 | 1 | 1 |
Whats strange is it appears to be enabled. But still says it isnt.
Why this sql terminal throwing codemirror is not defined is it my browser 
View Source → Follow that POST Request , regenerate it in Burp and take it from there
You don’t really even have to use BURP; you can enter commands directly in the admin interface.
Sometimes the web interface is not working as reported above, i falled back into using burp
1 Like
Could someone help me with the user Liza?
Can you give some tips please
sorry I did not get the IDOR on the job dashboard!
I have checked the linked for requesting a job there is a parameter job_id=
I tried to …/…/…/…/etc/passwd I got error malicious code detected
Can you give more hint please?!
Any hint to how to escalate from svc acc to user with username and password of different user?
I finally got onto the box as SVC_ACC but is anyone else having issues with it killing the connection like every 30 seconds. I can do some things then my connection gets reset like a task is running and killing them.
is this just me or is their something i need to do to stop my revShell from getting killed every 30 seconds?
i don have any issues with that. I’m using python reverse shell
1 Like
HINT: Look at who posted the job.
Is there anything special about clicking each different Job poster
…/…/…/…/etc/passwd would be more LFI not IDOR.
IDOR is more lile say you have ?userid=1, youll try changing the 1 to a 2 and seeing if its a success.
Find the correct number then you need to transform it to something else then you can go back to the other hitns and see what you need to do with it.
Thank you. Ill give that a try.
Look for files
Is the user mi***an a rabbit hole for the user flag / lateral move? I have valid credentials but none of the tools to spawn a shell with those creds seem to work.