Start by searching for for them on Google.
Googlefu: “name of app or software” “exploit”
Then you read them carefully and see if they apply to your situation
Hi. Can anyone help me with the foothold of this box? I can share whatever I’ve tried and found over DM.
~ Thank you!
I’m at this point now. I can successfully grab a well-known file from /etc/
, as well as the config file for the web server (from /etc/caddy/Caddyfile
as well) but I’m stumped on where else to look. I noticed that www-data
’s home dir is listed as /var/www
, which makes sense, and I’ve tried looking for various files I’d expect to be in there, such as something like app.py
or yummy.py
, at various paths - like within /var/www/html/
, /var/www/yummy
, and variations on those. I’ve also tried looking for files I KNOW are in there somewhere, like I can see the main web page loads a JavaScript file from static/js/main.js
, and I’ve also tried looking for ics.py
, but I can’t find either of those files anywhere in /var/www
either. I’m just not sure where else to look. I’d like to try to find a config for the yummy web app, or a database file, so I can try to grab some credentials or something, but I don’t know if that’s going down the wrong trail. Any nudges would be appreciated!
An excellent box ! I was able to learn few things our of it, for anyone stuck feel free to drop me a PM.
For the initial foothold make sure to check ALL known linux files, this will reveal the next steps.
You know, it is kinda annoying that I have to redo sending some data every once in a while because it gets erased, it’s like it was setup to be annoying on an interval.
I could be complaining but this could be a hint.
Hi everyone,
I’m stuck with this, I got shell, but whenever I try to move from mysql user to www-data using the cronjob, the app_backup.sh gets overwritten without ever executing it. Does anyone have a hint for this please?
Nevermind, got it working.
anyone available ?, I wrote a code to generate the weak thing but for some reason it’s not working Idk why.
i tried the lfi a lot of times and i can read /e*c/pas**d but when i try to read other files i get a 500 internal server error:((
bro u need to repeat that process like u need to recatch request everytimr u read file
yes i do that a lot of times but when i catch the request i get 500 status code
dumped almost 90 different files and now i have db creds and a hidden directory
Learned a lot from this one! For anyone struggling:
Foothold: just observe carefully which actions you can perform in the application. When you find the vulnerability, I recommend creating a script to make it easier to exfiltrate what you want.
- Hint 1: Don’t over complicate things. Everything you need can be found exactly where they’re supposed to be by default.
- Hint 2: Still struggling? Have you tried searching for Linux files that define scheduled tasks?
User: now that you have access to the machine, look at that Linux file that gave you the first steps to foothold. Observe which user executes each of those scripts, and you’ll soon realize what you have to do. As soon as you get a shell with the other user, enumerate which new files/directories you have access to.
- Hint 1: VCS are great, but developers should be careful with what they commit.
- Hint 2: They also provide a lot of features, including the ability to execute scripts when certain actions are triggered
Root: it’s actually pretty simple. Just study the tool you’re allowed to execute. Look for which switches it’s using, which switches you can use, and search about Linux privileged binaries: how you can create them, and how they work.
Be careful because in almost all steps there are schedules that may overwrite any files you create or modify.
Hi guys, someone to help me with the foothold? I’m struggling with sql injection on admin page but i don’t know if it is a trap… plz, can’t plant rev shell
I’m stuck at exactly the same step. Seems to be the way forward but can’t get it to work
You’re in the right track. Just stick to the basics, forget about automated scripts (except if you’re creating a script to help you retrieve information, as I recommended) and focus on what the machine can do for you. If you pay attention and keep it simple, you will need just about 2 requests to achieve something useful (an RCE, in this case).