Recent Activity

Activity List

  • Welcome Aboard!
    January 22
  • squid22

    Can you help me with user? and the code injection on the exec()...
    devops is not one of my strongest skills... (this kills me)
    What I am doing is getting a python one liner shellcode, then url encoding it and and passing it to the server. These are the steps I am doing:

    1) using: https://gist.github.com/lucasgates/0c6330c582d0ccf52fad129d5e7e9de7
    without the python -c part
    2) url encoding the reverse shell and replacing ; and spaces with %3b and %20 respectivetly before URL encoding
    3) passing the reverse shell as follows:
    curl -i -L http://10.10.10.168:8080/"""url_encoded_python_revsershell"""

    Keeps failing buddy.

    January 22
  • squid22

    devops is not one of my strongest skills... (this kills me) ... can you help me figure this out?
    What I am doing is getting a python one liner shellcode, then url encoding it and and passing it to the server. These are the steps I am doing:

    1) using: https://gist.github.com/lucasgates/0c6330c582d0ccf52fad129d5e7e9de7
    without the python -c part
    2) url encoding the reverse shell and replacing ; and spaces with %3b and %20 respectivetly before URL encoding
    3) passing the reverse shell as follows:
    curl -i -L http://10.10.10.168:8080/"""url_encoded_python_revsershell"""

    Keeps failing buddy.

    January 22
  • Roqui800

    Hi
    Can you please give a nudge on openadmin box? It is my first box and i am not sure about what exactly i have to do. I find all the websites but i don't found nothing interesting.

    January 22
  • SpiffyLich

    Which groups do I care about? I'm super duper new to windows-hacking, and there's a lot that feels like its going right over my head :(

    my best guess right now is for "NT AUTHORITY\NTLM", since there's an article about it. Unfortunately, exploits that I've found straight up don't seem to work. There's at least one metasploit module out for it that requires SESSION, but I can't get any session info from the box as ryan.

    I've never been this stuck before. Jeez I feel like a 4 year old.

    January 22
  • Please consider giving respect if I helped you :-)

    January 22
  • IK1979

    Hi trying to get user for JSON box. I have managed to gain access via admin. ihave the OAUTH2 code. i cant seem to get the user access using ysoserial or mkpsrevshell.py
    Any hints or tips please.
    Thanks,

    January 22
  • Str0ng3erG3ek changed their profile picture.
    Thumbnail
    January 22
  • hemang

    Hi, this one is regarding Json. I got URL and able to login with admin/admin. first time using json. can you please through some hint on from where to start. also know that sb admin 2 version 4.0.4 of bootstrap is there.

    January 22
  • 4an7o

    Hi, I would suggest doing Direct Message instead posting on the public board.

    Based on your description, you are not understanding what you have.

    1. Is it password of j*****a?
    2. How the GTFObin works in this box? Why it tries to escape nano?

    Hope the questions help you.

    January 22
  • Rayngjx

    Hey so I have managed to solved it to 72 84 66 123 77 48 78 107 115 95 107 78 51 119 33 125 , did some number cipher and got UGOT0WADLRDA0PHV and then ROT13 to "HTBG0JNQYEQN0CUI". Seemed like a promising flag but it isnt. Do you have any hints?

    January 22
  • D4rkn3S

    hello, i need some nudges on json.htb if you can.. i have there meterpreter shell, also found encrypted privileged user password, i decrypt it but when try to run with runas or psexec another payload, my meterpreter shell is down. also try to run netcat connection but not work.. can you give some nudges? thanks..

    January 22
  • marvin7408

    Hello,
    I am working on the OpenAdminBox. I have the exploit working for OpenAdmin 18.1.1. I have a restricted reverse shell. I used the command "last" to see the last login. I see 2 users Jimmy and Joanna. I search the file system to find password or password hashes. I can't anything useful. Do you have a tip what I need to look for?
    Thx.

    January 22
  • goodgoodstudy

    Hello, I'm contacting the control machine. I've got users. I'm having problems with them. I found the consolehost_history.txt file, and I can also write something in "currentcontrolset \ services \ test". But that's all. Google didn't harvest it. Root needs to prompt!

    January 22
  • squid22

    Hi AlexLTN, I was able to use wfuzz and found the hidden directory "develop". I was able to download the source code and I noticed that part with cwd and os.path... I been trying to do some LFI, RFI or something like that ... I have tried a few variations but got nothing... Can you help me figure this part out?

    January 22
  • squid22

    Hi expanding, I was able to use wfuzz and found the hidden directory "develop". I was able to download the source code and I noticed that part with cwd and os.path... I been trying to do some LFI, RFI or something like that ... I have tried a few variations but got nothing... Can you help me figure this part out?

    January 22
  • squid22

    hey steel448, I am I was able to use wfuzz and found the hidden directory "develop". I was able to download the source code and I noticed that part with cwd and os.path... I been trying to do some LFI, RFI or something like that ... I have tried a few variations but got nothing... Can you help me figure this part out?

    January 22
  • FibonacciBear changed their profile picture.
    Thumbnail
    January 22
  • Kyushu

    hi,Did you solve the SSH problem?about,postman(Matt)

    January 22
  • whitecrow, LSnake, spike66, avekiszka, fadhilthomas and 38 others joined.
    Welcome Aboard!
    January 21
  • alez

    Hello,

    any nudge on foothold? Im unable to run full dir scan, always getting disconnections. Been able to find /vendor/symfony (with dirs int, process, filesystem, polyfill-ctype). Found some changelogs there that im not sure if they are relevant.

    Found /vendor/gears/pdf too, that is the phpgearbox, but not changelogs here.

    been trying to xxe the docx with blind method but im unable to connect back. I've been trying to trigger the pdfbox too (which seem obsolete and vulnerable) but did not found a way.

    also im trying to figure out how is the conversion process, we upload the file, then the php does some unzip, looks for the main document in word/document.xml, then it calls libreoffice for conversion? but when it calls pdfbox or anything else (unoconv or anything else, that i can figure is the real thing that have to be exploited)?

    thanks

    January 21
  • SpiffyLich

    on the Resolute box, I got user "melanie" and the user-flag.

    A lot of people are mentioning a user-2, and I'm 99% certain I know who it is. My question here is, should I try and get r*** credentials / login, or can I go straight for root once I have melanie?

    thanks!

    January 21
  • FDS

    Hi
    Can you please give a nudge on openadmin box. I am on the www-data user and have looked at the files in var/www/ona but i find nothing interesting

    January 21
  • nuxmorpheus01

    Never mind, just rooted.

    Thanks anyway. :)

    January 21
  • Ja4V8s28Ck

    Have you finished FOREST??
    bcoz i am willing to try to it , as it's a windows machine

    January 21
  • nuxmorpheus01

    Hi man.

    Could you help me with traverxec please?

    I am stuck on root and I think I has an idea on what to do but resizing the terminal is not working for me . You told you use other way. May you tell me what way was that?

    Thanks in advance.

    January 21
  • unethicalnoob changed their profile picture.
    Thumbnail
    January 21
  • atr0pos changed their profile picture.
    Thumbnail
    January 21
  • darklink701

    Hello, I started HTB a couple days ago. Since then I've been spending my time trying to get into OpenAdmin. I think I understand what i need to do later on, in terms of script execution, but the problem I'm having right now is getting access to an initial, low level shell. Could you point me in the right direction? Much appreciation.

    January 21
  • wxadvisor changed their profile picture.
    Thumbnail
    January 21

Howdy, Stranger!

Click here to create an account.