Look up the Linux Kernel documentation on file systems, and try to find something about collecting system information. You got this. 
2 Likes
This helped, thank you
Iāve been analyzing the b*****, testing it in my own server, is there a way to get RCE via Sq**?
at first I suspected that and had no result. now I try b***** o******* and have no result yet too 
Iām going crazy over this but I also learned a lot thatās really cool(!!). I just canāt leverage it yetā¦ Please excuse the silly code here (trying to explain where Iām at without spoiling anything to ppl not there yet)
Because I know where the library is, I can use ropes at that cool place 521. I just canāt get very long ropes or make them do anything very useful. I can send the guy (letās call him Ripley) to various places in his home he normally goes to when I want to or even get him to call other folksā¦ but I donāt know how to talk to him or hear back from him. I hope itās not because of a little bird 
This is the first time Iām using these techniques and itās really cool.
But Iām going crazy - I have not been sleeping much the last 3 or so daysā¦ HALP!
Sorry for being to annoying! This is pretty exciting (and frustrating)
1 Like
you are on the right track. just dont expect any response. you need to make it in one go.
Thereās some kind of filter at url param. First position only accepts certain characters. Does it mean something? EDIT: Yes! Thatās it!
Current account cannot read kernel /p***/ cmds. Is there a way to get processes running ? 
I just see the process a******_l***** used in upload. EDIT: ok, I see what I can do. 
I donāt know where to search for database l******.s*****. I wonder if itās accessible for web account. There must be another process to manage database data.
I have been working on this one for a couple of hours, but now I ran out of enum optionsā¦ Someone willing to give me a little nudge? Share notes perhaps?
I was able to retrieve some local details using the browser. Found who is behind the 521 and that corresponding 1nā¦**e number. But Iām sort of lost how to figure out what stuff is physically there using FS/Lā¦ only.
On a different track, I managed to look into the XS and RRās. Tried to poison through the ācopā but realising that only works for true includes. I guess this is a dead end.
For l******.s*****, /p***/ offers some more āmethodsā. Donāt forget to read the /p***/ using some kind of filter otherwise you might see nothing. With the new information you will find the l******.s*****. Itās accessible for web account.
So far Iāve only found the L** and canāt find much else. This box makes me feel dumb. 
I found the a******_l***** and l****** but I donāt know what to do after that.
Try to enum much more. You are on the right track. You can find more if you enum the url.
What can we do if we find unknown files especially an unknown binary?
Hmm ā¦
Iām trying b** but it doesnāt work
I get the LFI and license upload page. I am trying to find what is the location of the uploaded file, but no progress. Any hint guys?
Mind PMing me the method you used, I tried to do a lot of enum on the URL and couldnāt find anything.
LFI = read file phpā¦
yeah, I read the two php file code, but didnāt get an idea how to pop a shell. File upload but donāt know where is the file location. LFI can get /etc/passwd but need to find password for the user
andā¦ what saids the upload web???
where is the file you need?
the code in upload file use socket function transfer the content of uploaded file to local port 1337 And I stuck here.
I assume I can upload php file to the server so I can get a web shell, However, I donāt know the location.
All I know now is that the php first store the file in a temporay directory, and I test on my machine shows the file name seems a random string (/private/var/randomā¦)