There’s a ffuf flag to output debug errors to a log file so you can troubleshoot. I think it’s -debug-log /path/to/file. It’s helped me on a number of occasions.
any hint for the first auth?
I have tried for foothold. I have used FFUF and found a Desert plant. I have used Doras favourite tool and found ***_user but not getting any hashes or creds to use. can I get a hint please?
I have used ffuf and found all the .php files. Can someone give me a hint on where to go next? Thank you.
You can DM me for some nudges if you wish. I think there is some decent hints in the thread already to get you where you need to be and what needs to be done already for foothold, but i can be more direct if you wish.
@badre619
@lordsoahc
@rdy2hunt
hey @Ashishgupta, even I got the root easily with user level access but still I tried to escalate my privileges, I was able to pivot and gain access to the internal server but after that I am stuck, if you know anything please help
So you have access to web panel of duplicati? Can you login to it? It is a backup software which is running as root. You can simply do a backup of /root for root flag or run a script using it.
Rooted :)
Is there any way to get a shell as root? I couldn’t crack the shadow file.
I think that I found the c**.*** you are mentioning but not sure how to abuse it. Tried to blindly inject c** on this very page using common params and various verbs but I don’t seem to get anything from the machine (did not go far on escaping and enumeration though). Is this the way or am I charging windmills?
You need to find another page that you can perform SQ******ction on to dump some creds so you can login to that subdomain.
Hello, does anyone have a little hint for the root part?
Lost a lot of time trying to generate a pair of keys while the approach was way more straight forward. I forgot obvious way to expose local resources. Not sure how NLTE got the user in 12 minutes (is there a way for the user different than the one for root?) Thanks for your help, @ FroggieDrinks
SUPER SLOW
Do it manually
well, i guess i buy some food while sqlmap is running
Root was so simple actually, but i was overthinking for 2 days
Tip for Root Privesc because I was a silly goober and wasted 20 minutes:
If you decide to use online encoding, they may auto-delimit Hexadecimal with spaces.
Don’t. :,)