Got my rev shell as w**-d***, stuck at privesc. Found that the S*** bit is set for the /b**/c**n executable, but I don’t know if I’m going in the right direction. PM me if you got some time to spare ! Thanks.
Got user and root 
The hardest part for the was getting the initial shell. I don’t know if I got the user and root the correct way and would like to discuss it with somebody.
Got the Shell, but does not do anything. NetCat not the right tool for this?
If anyone could pm me with a hint about the initial shell that would be great. I have confirmed that I have successful rce but I cannot get a shell for the life of me.
Edit: Never mind I have figured it out
can anyone help with login creds, i tried brute force of the api but i getting nowhere.
Spoiler Removed
So finished up finally.
Those struggling to get the credentials for the app - just a heads up I had made my own Script to query the API for user credentials and it straight up did NOT work. I adapted a script from the exploit you should use which does the same function which also threw false negatives… I ended up just trying stuff manually one at a time. if you looked through the admin docs for the product, you’ll know the username is one of two things. then just try super easy passwords. You’ll hit it eventually.
Once you’re in. If you’re struggling with Code Execution via the exploit (like I was initially) a few things - it is very important to follow the execution of the exploit to see what is happening. Use packet capture tools to see what is happening when you send data to the server. There is a reason why it doesn’t work. Understand what the exploit is actually doing. Review the code to see what steps it is performing. Once you get it, you won’t need to run the exploit anyway. You could script something that works 10x better.
Once code execution is in place, for the life of me could not get a reverse shell sent to my machine (i think this may be due to the fact I was sometimes supplying the wrong IP address…but I digress) but in any case who says you have to? At least initially, there are other ways you could interact with the server to make your life easier.
Don’t really need to provide hints, once you have a stable shell, do the usual enumeration for root and its obvious.
Good job, Askar. I’ll go bang my head against a wall now. (Y)
Thank you @askar for an awesome box.
I learned a lot!
And also a big thank you too @YaSsInE who helped me a lot.
Can I get a nudge on the RCE script, for the life of me I cannot get the shell to work, something is escaping me 
Type your comment> @virtualgoth said:
Use packet capture tools to see what is happening when you send data to the server. >There is a reason why it doesn’t work. Understand what the exploit is actually doing. >Review the code to see what steps it is performing. Once you get it, you won’t need to >run the exploit anyway. You could script something that works 10x better.
This is confusing, I get the CVE code needs “fixed” based on the comments, but as best I can tell, from walking through it with burp or just manually typing everything in the GUI, the script is fine, it’s a server side setting that’s preventing the payload, which can be replicated by just copying and pasting the payload in the GUI, you get the same error (based on the characters). Unless I’m missing something. I don’t see how you would script something 10x better, it’s just posting the same data you could enter in manually. I can’t figure out how to get anything to just work, even something simple like ping, which makes troubleshooting difficult.
What I don’t get, is how you kick it off if you use the GUI. I get the post to that special page in the CVE script, but I can’t find that in the GUI.
Type your comment> @falqon said:
Type your comment> @virtualgoth said:
(Quote)
This is confusing, I get the CVE code needs “fixed” based on the comments, but as best I can tell, from walking through it with burp or just manually typing everything in the GUI, the script is fine, it’s a server side setting that’s preventing the payload, which can be replicated by just copying and pasting the payload in the GUI, you get the same error (based on the characters). Unless I’m missing something. I don’t see how you would script something 10x better, it’s just posting the same data you could enter in manually. I can’t figure out how to get anything to just work, even something simple like ping, which makes troubleshooting difficult.What I don’t get, is how you kick it off if you use the GUI. I get the post to that special page in the CVE script, but I can’t find that in the GUI.
maybe try encoding…i hope thats not a spoil?
Please DM me on how to get the creds for /c*******
I’m totally lost.
please DM ME. HOW I CAN GET DIRECTORY? i tried to use dirb tools. but dirb is not show m*******/c******* etc… so i stuck next step. please help me
Spoiler Removed
Thank for @askar fun box. learned a lot! and also a big thanks too @133720 and @Pratik who helped me a lot.
PM for hints
Type your comment> @lahirukkk said:
Thank for @askar fun box. learned a lot! and also a big thanks too @133720 and @Pratik who helped me a lot.
PM for hints
You are welcome lahirukk.
can someone please tell me how to modify the exploit wasted a lot of time on nothing yet.Thanks in advance
I am stuck at w**-d***, I already did enumeration and tried some exploits. Some people mentioned that it should immediately catch ones eye what to exploit.
Can someone give me a nudge?
Rooted.
USER: do not rely on the exploit, write your own tools and combine with exploit
ROOT: its pretty easy, just look around, no need to enumerate
Thx @Y3llowMustang @rholas
PM if you stuck.
Type your comment> @falqon said:
Type your comment> @virtualgoth said:
Use packet capture tools to see what is happening when you send data to the server. >There is a reason why it doesn’t work. Understand what the exploit is actually doing. >Review the code to see what steps it is performing. Once you get it, you won’t need to >run the exploit anyway. You could script something that works 10x better.
This is confusing, I get the CVE code needs “fixed” based on the comments, but as best I can tell, from walking through it with burp or just manually typing everything in the GUI, the script is fine, it’s a server side setting that’s preventing the payload, which can be replicated by just copying and pasting the payload in the GUI, you get the same error (based on the characters). Unless I’m missing something. I don’t see how you would script something 10x better, it’s just posting the same data you could enter in manually. I can’t figure out how to get anything to just work, even something simple like ping, which makes troubleshooting difficult.
What I don’t get, is how you kick it off if you use the GUI. I get the post to that special page in the CVE script, but I can’t find that in the GUI.
To clarify, I mean for anyone who is only firing off the exploit and sitting back and it’s failing - a good place to start would be to capture the traffic and analyse the responses back to see at what specific point it’s failing. Then focus on that specific part of the exploit only and get that working first. Without a capture it might be hard to discern at what point it fails because if you are using the exploit on EDB - it won’t tell you what is happening and at what point - it will simply echo success even if this isn’t the case, hence you could script something that works 10x better by at least providing you feedback on the server responses as you supply different payloads.
As far as I could tell, there is no direct link to that in the GUI, for that I just mocked up the request in BS and sent it to repeater. That at least only requires session ID and no token which makes life a little easier. You should see feedback in the server response for that if you run a command that provides output if that’s helpful. If you are seeing no feedback from commands (and you are sure the command updated correctly by checking the GUI), then there must be a syntax error, sometimes I forgot the character at the end of the payload from EDB which caused the execution to fail.