Official Retired Discussion

i belive you need exploit the binary. but you need another file. l******_s*****
i am in the same point

I think that the payload must be sent via upload file. At this point activator process Will be injected with arbitrary comands and do something. But what to do?

think about your target. what do you want at this stage?

Reverse Shell? I think i’m missing an important step. Hints appreciated

what’s missing?

Been doing this for a few hours now and finally got to the point where I am so close to foothold/user. But something is driving me insane. Leaked the s… from /p…/…/m… but the offset to “base” keeps changing been trying to offset both from start end end of s… but nothing seems to be stable. AS… should not be doing that or…?

Hii i am trying to do this box i have got lf*
with the help of
wfuzz
i have got
index.php default.html
b*.html and
act****_li***e
.php and i can also read files like /etc/passwd but dont know what to do from here any hint ??

Just dropped a shell as www-data. I would be interested to hear the solutions from others? As my exploit seems a little “hacky”, would be interesting to know if there was a better way

Medium they say…

haha! I’ve been thinking the same this whole week

Ok, I’m stuck on this one for a couple of days now.

I have limited read access: some config files, the /p*** folder, logs.

The logs seem to be a dead end. Tried to inject them, but the code won’t be executed. I guess because it is not a true “include”.
The key to understanding what is happening to the upload file and the ability to access / execute something over there is probably the /p*** folder. But I have been guessing, enumerating, brute forcing subfolders and files with no result.

Am I looking in the right spot?

Thx.

thx! I’ve tried this earlier with no results. But I probably did something wrong. Now I went through all the #'s again and I think I’ve got the one I was looking for.

I didn’t think it will require to… because it was medium rated.

Really we meant to do so?

You are on the right track. How can you enum processes using /p***?

There is a numeric subfolder for every process.

You need to try all the possible numbers to see if there is a subfolder present. If so, that folder contains a lot of information on that process.

That’s one way…but there is a simpler way imo. Read carefully the documentation about /p****.

ok, I wasn’t aware of a simpeler method. Curious to know what it is. Although iterating through all the id’s is also only one command, when using the proper tool of course.

What a ride !!! It was a very nice box, I learnt a great deal!

However, I deeply disagree with the medium rating of this box… and I don’t know why for the last year, all the boxes are rated lower than they should? I don’t really see the point? Or is it me that becoming slower over the years … which is also possible

Here are some few hints:

Foothold to shell

• it’s been leaked on the forum already → dirbuster to find a page then look at what this page calls then L… to find a particular process
• find the process and the program that goes along
• make it get us a shell [that’s the hard part!]

Lateral: shell to user

• very easy, just look around to see some files are regularly written somewhere
• exploit it

Root

• fun root privesc
• don’t need any linpeas, just work with what you have in front of you when you get user
• google around the bin you don’t recognize and read the content of every file

Any tips or things you could recommend I look into? I think I have all the required info but can’t pull it all together to get a shell.

hello
What info do you have yet, so I don’t spoil?