What tool did you guys used for brute forcing the IDOR?
I tried Ffuf but I think there is some protection on the back side as seconds after I load it the whole server just returns code 503.
Burp was too slow for my taste.
For the IDOR, you need to look at the URL, thre is one portion that is encoded. You need to see how this relates to a user that will give you access to a user with admin privs
Does anyone have an idea where to find lorra creds? im using memproc to analyze the .DMP file but im stuck
Yes⌠Iâm brute forcing with base64 enconding.
Fffuf has an enconding flag that you can encode you wordlist.
I created a number list with seq and use it in Ffuf with the base64 encoding module, but the server just doesnât like my forcing attempt. 
Also, I used the cookie values from a valid session.
Got it! Trial and error with the brute forced profile picture filename. 
dm i can help you
1 Like
there are several parts to the that URL and it only works for a limited time. Thatâs why fuzzing here fails. There are 2 other ways to enum the users on the site. Both have been mentionned above:
hidden for those that want to proceed
Summary
- look at the job dashboard (quickest)
- and someone mentionned fuzzing profile pics
Yeah, It was me. Got it that way.
Not only the QR Code lasts for a specific time, as said in the page, but I guess it only lasts once.
Hello mate, can I dm you on this?
Any hints on pivoting from SVC_ACC ? ive manually enumerated just about every file on here and getting now where.
any hint for root flag? im in lorra199
Try clicking on user profiles may be who posted the job or article in blogs you will find what you needed
i have the link to the page of admin profile
what do i do next
Can anybody help me with a sanity check on getting a reverse shell? I tried everything.
I can execute commands, but I canât get a shell.
someone please help
Anyone who would mind DM me about the foothold?
Having some issues 
Can anyone give me a hint on how to use mi**********an credentials to do a lateral movement? I was able to obtain some information but I could not find a way to execute commands.
I have RCE but cant seem to get a shell working. Can someone please hit me up for a little discussion?
See if you can google âxp_cmdshellâ and reverse shell.
I personally couldnt get the one on hacktricks to work but found an article that contains some commands to abuse powershell to download NC from my machine and execute it.
Remember you can basically run any command using xp_cmdshell as if you where on the box.
curl and wget with powershell can get you there.
Ive had issues with my Revshell constally being cut off randomly. I believe the box might have antivuris killing it or the box is just janky. Ive reset the box and had better success but it still happens randomly for me.
1 Like
If youre on âadminâ in the freelancer webpage youll need to look for a directory to pivot to. simple directory enum will discover where you need to go.
I found a way that worked. What did not work was to try to host any .exe file on my machine. Somehow they all end up having 0 bytes.