Forum Discussion
Dependency Confusion
I feel as though I have exploited the vulnerability correctly and have gained RCE onto the server but I lack the sufficient privileges to access the token to complete the lab. I have no idea if I missed something but any help is appreciated.
Commands used can be found below.
Commands executed
Hey Mail ๐
Thanks for sharing your steps. Based on what you've shown, it doesn't look like you've got RCE on the system yet. The commands you're running are on the Desktop instance of the lab (dependency-confusing-desktop). Once you've got RCE, you'll be the root user, so running "whoami" will output root, not iml-user.
Hope this helps!
6 Replies
- steven
Silver II
so solving this lab is quite straight forward by just copy pasting the instructions.the setup.py only needs to by modified on 3 places (ip, name, version) and then build it and upload it. so far so good. once you get a shell "whoami" should show you root. just tried it and it just works like this
- TillyCorless
Community Manager
Hi Mail did any of these replies help to solve your confusion?
If you found a reply useful, please don't forget to mark it as a Solution โ
Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.
- KieranRowley
Community Manager
Hey Mail did you manage to solve this one in the end?
- User
Bronze II
It looks like you've successfully uploaded the file onto the target server but are trying to control it incorrectly and instead you're controlling you're own system instead of the target's. Try finding the file through the listener set up earlier.
- NyePrior
Immerser
Hey Mail ๐
Thanks for sharing your steps. Based on what you've shown, it doesn't look like you've got RCE on the system yet. The commands you're running are on the Desktop instance of the lab (dependency-confusing-desktop). Once you've got RCE, you'll be the root user, so running "whoami" will output root, not iml-user.
Hope this helps!
- KieranRowley
Community Manager
Hi Mail
Welcome to The Human Connection! Please let me speak with the lab author and come back to you