Hint for HELP

1111214161729

Comments

  • I'm really confused on getting user on this one. I know there's two ways and I've tried both...

    1. Unauthenticated. I've tried to run the script a million ways and I can't find my upload. People are saying "travel to London", but that doesn't make much sense because the server uses GMT/UTC and so does Time.time() in Python. So the times should match up. UTC time is by default timezone insensitive...so I'm not sure how to change that.

    2. Authenticated. I've got the creds and logged in as a user. But the b**** s*** attack to get admin creds isn't working for me, even though I've made a ticket with an attachment. Any help there?

    If anyone could help or PM me, it would be much appreciated. Thanks!

  • got user semi-intended way and rooted with exploit, would like to know how the other port was done, pm me to discuss.

    illwilll
    OSCP

  • Thank the Lord. I got root! If anyone needs help you can PM me.

    Discord : secHaq#7121
    trigger

  • General comment: Try to exhaust all options for any box you are working on before attempting any exploits. Dont just go for an MSF exploit. Very few of these boxes are built around MSF attacks and you are really doing yourself a disservice if you rely on MSF for everything. I've seen in the comments that tons of people used exploits to get root. Yeah anyone can do that. If you have a zero day you can own any box in the list. But thats not what they are for, they are here so you can challenge yourself. You don't need an exploit for root on this box.

  • If anybody have time and will to help with this box,
    please write me in PM and I will send all I did and found in last 2 weeks.
    Even all reads here and lot of tries, I am missing something for sure.
    Thank you in advance.

  • Had a great time with this box. Getting user took by far the longest and some degree of time travelling :)

  • Can someone give me a prod in the right direction for root, without using a k***** exploit?

  • Rooted, took me way longer than I would have hoped.

    User:
    I took the ** port way, I think it is quite easy, just remember to enumerate. I personally did read any of the Github code, just google/exploit-db anything you stumble upon and the you will quickly see what you need to find next.

    Root:
    Although it's not difficult it's very easy to just fall into a rabbit hole and ignore the basics.

    If you need any help PM me.

  • Type your comment> @lackofgravitas said:

    Can someone give me a prod in the right direction for root, without using a k***** exploit?

    Read files.

  • I've readup on the sourcecode and the timing, I think I am missing something stupid with both of the exploits, would anyone be able to pm and assist with getting this working 100%?

  • Rooted. now i just feel dumb.

  • edited February 2019

    I guess I have it almost there... just cannot seem to exploit the helpdeskz thing. How can i verify the local time of the server to make sure it matches mine?! PM would be nice. Thanks!

    Edit: Actually pretty sure I have the time correct... (curl -v should give that information from what I read).

    Would the exploit just be as easy as -> python exploit.py http://ip/support/ reversh.php
    ?
    I am probably missing something...

    chojinl

  • finally rooted after so many struggles! Honestly the box is harder than is rated. I went on the obvious way to get root. If u did something different, please DM me and let me know.

    Hits:
    User....
    1) make sure u read about nmap lies on internet about services are on what ports, sometimes it might lie to you.
    2) To find credentials, figure out what server it is and google "how to "
    3) Think about time
    4) look at the github page specially to know where your file is going and if is going at all.
    5) exploitdb is your friend, he is here to help! (haha get it?)
    6) think about time
    7) think about time
    8) think about time

    Noted: I think there might be a typo in exploitdb when talking about how is the app vulnerable, just keep that in mind

    Root....
    1) sOMEtIMES we make mistakes while typing.

  • I beat my head against the wall for two days. I tried to exploit lower port in a right way, but it didn't work. The script just didn't find my uploaded shell. I switched from EU VIP to US VIP and it worked perfectly. Thanks to @EXC3L for help

  • Type your comment> @chojin said:

    I guess I have it almost there... just cannot seem to exploit the helpdeskz thing. How can i verify the local time of the server to make sure it matches mine?! PM would be nice. Thanks!

    Edit: Actually pretty sure I have the time correct... (curl -v should give that information from what I read).

    Would the exploit just be as easy as -> python exploit.py http://ip/support/ reversh.php
    ?
    I am probably missing something...

    check the url..the source of the app will help you, Github is your friend ;)

  • I am a noob and been avoiding asking for help with......help, but I am stuck. I got the user credentials from n****s, found the source code on GitHub but get a 302 for the next part. Can some one PM me to make sure I am not overthinking things?

  • Just got user in this box ..
    Is it an easy box ?
    I am new to HTB

    Hack The Box

  • Rooted ...But would love to know how to get user with g**** ..Can anyone help ?

    Hack The Box

  • Type your comment> @sillydaddy said:

    Just got user in this box ..
    Is it an easy box ?
    I am new to HTB

    k got it :)

    Hack The Box

  • got the user, stuck on root. I read the files and found the thing. But now what do I do with it?! can't sudo or su in the reverse shell...

  • Rooted! Thank you @Echo99 for the help!

    GoneRogue2018

  • edited February 2019

    Rooted loved the box. Did the gr***l (user and password) way if anybody wants help or discuss how I did it, feel free to PM.
    Shout out to people who helped me thanks guys <3

  • Did the gr***l way (username and password) if anybody wants hint or wants to discuss, feel free to pm me.

  • Type your comment> @Echo99 said:

    Stuck on user, trying HelpDesk Way. I'm attempting to find the php shell uploaded, i'm also pretty sure that the directory in which the file will be uploaded is /s*****t/u******/t*****s/. I've also red the github repo trying to figure out how files are managed, Nevertheless can't even display on the website a previous uploaded jpg file. Any hint will be appreciated.

    -Edit, Finally found the way to found uploaded files, searching now a way to RCE php. It always showing the jpg image even if code is embedded in exif

    -Edit, Got user even if with some difficulties. Also got root in a very straightforward way.

    Hint for user (low port):
    To understand where your file will be uploaded read docs and search for
    a specific hd exploit

    Hint for root: Enumeration and Search are the two main words

  • After 2 days of user, I finally timed out and got user. Root followed shortly. Thanks to @Echo99 for a nudge.

    Arrexel

  • I have been trying to get the user flag for days using the unauthenticated s**** upload. After reading through this thread and actually reading the code for the exploit I believe my clock needs to be adjusted although I don't what to adjust it to. Anyone that has figured out how to figure out the adjustment for time please PM me so I can stop banging my head on this machine.

  • your clock doesn't need to be adjusted, as several people have pointed out.

  • Just got root. Wow, that took a lot longer than it should have done, but at least I learnt a lot about shells.

    The root isn't quite as easy as it first appears. Think about what's actually gone wrong.

  • edited February 2019

    Got root!! Thanks to @smaxxx @EXC3L I was getting invalid argument error when executing exploit, but it worked after couple of resets.

  • edited February 2019

    Stuck on user, so I got the credentials from the high port and logged into the lower port but I'm lost on what to do next. PM me I need help :(

Sign In to comment.