Hint for HELP

2456729

Comments

  • Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

  • edited January 2019

    hint for root please :(

  • Got half the user... need some tips for finding the rest?

  • @r0tt3d said:
    Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

    I really can't say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you'll be very surprised at what you find.

    opt1kz

  • edited January 2019
  • @opt1kz said:

    @r0tt3d said:
    Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

    I really can't say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you'll be very surprised at what you find.

    That is a good hint :)

    Hack The Box

  • It seems I bypassed the file extensions upload for my php session, but I have not idea where its uploaded to. Looking through the GitHub I dont see anything.

  • Took me a while to know I had to time travel, I feel discriminated.

  • @vanquish said:
    It seems I bypassed the file extensions upload for my php session, but I have not idea where its uploaded to. Looking through the GitHub I dont see anything.

    Look harder. It tells you where to look if you're reading the code.

  • edited January 2019

    Edit: Found it. Nice box with little frustration on error msg. Interested to know the other way to get the user.

    MrR3boot
    Learn | Hack | Have Fun

  • @GrafEisen said:
    Took me a while to know I had to time travel, I feel discriminated.

    Exactly.. not unless you live in a UTC time zone XD

  • IIRC the time() command in PHP and time.time() in python return UTC.
  • @jkr said:
    IIRC the time() command in PHP and time.time() in python return UTC.

    You still have to time travel a little bit, or adjust the exploit, which is what I did ;)

  • But it does not have to do with timezones but with poorly synced clocks?
  • @jkr said:
    IIRC the time() command in PHP and time.time() in python return UTC.

    Weird, if I check the source that worked and time.time() I do get the same value, but time.time() is still not working. I guess it only wanted me to work more.

  • need root help...

  • If anyone could help me with the Node.js part and how to use it, that would be great. Never used this method and I am a bit lost here.

    lemarkus

  • edited January 2019

    rooted.. nice box...

    Spoiler Removed

  • the travel in time a bit confused me, how to get back the right value ?

  • @Seth70 Look at the server header response with a proxy

  • @lemarkus said:
    If anyone could help me with the Node.js part and how to use it, that would be great. Never used this method and I am a bit lost here.

    I did this way too. It's pretty interesting to get the things.

    MrR3boot
    Learn | Hack | Have Fun

  • edited January 2019

    @MrR3boot so simple fuzzing for the parameter name and value is not enough? is the etag important?

  • @dev0id You have to form proper request body with correct params (you get them on errors by the way) in the required format. Make sure you found the correct endpoint like chart. Can't say more without spoiling.

    MrR3boot
    Learn | Hack | Have Fun

  • @dev0id said:
    @MrR3boot so simple fuzzing for the parameter name and value is not enough? is the etag important?

    This might help
    a collection of points whose coordinates satisfy a given relation.

  • @cymtrick Nice box dude. Good learning BTW

    MrR3boot
    Learn | Hack | Have Fun

  • @lantog said:
    @Seth70 Look at the server header response with a proxy

    oh noo... XD a bit overthinked by me thx...

  • Eventually got user... hours struggling and it was me not adding a certain part to the url of the exploit... Think i will take a power nap before i attempt root. XD
    Love the box sofar @cymtrick

  • If you are trying to get the upload with a exploit-db thing, you have to modified more than just the time. Hope this isn't taken as sploiler

  • Got root but am not sure is it intended way or not… Whom can I ask?

  • I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it's a hackthebox first and it's becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

    The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

    Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

    The name of the person who gives the "message" is not important; however, @cymtrick gives a clue in the wording of his message.

    Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn't appear to have any endpoints as you cannot GET anything. Thus, it isn't a REST API; however, there is a single endpoint, and it does have a g**** api =)

Sign In to comment.