Hint for HELP

1356729

Comments

  • edited January 2019

    Got user.txt, for root... is the folder with web****.con**.js worth investigating any further? (I feel like i've saturated this)

    EDIT:

    rooted.

    This privesc was a slap in the face after playing around for hours - don't forget the basics.

    jrichasec

  • @opt1kz said:

    @r0tt3d said:
    Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

    I really can't say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you'll be very surprised at what you find.

    This makes it sound like there is a standard place where code for it is kept on github...? Or should I just google search for it? (I'm noob)

  • Check what software is installed and then search at github. When you downloaded a version and know what files are in a standard installation you can download README or something like that from the server to check what version is installed on the box.
  • @MrR3boot @cymtrick those were great hints, thanks!

  • @1NC39T10N said:
    I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it's a hackthebox first and it's becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

    I gotta disagree. Either way into the box is a valid approach.

  • F**K Express.JS and Node.JS. Is Javascript real language anyway?

  • F**K.js

    peek

  • Any hints on what to do with the creds from JSON? I tried using them (and derivatives/combinations of them) at various places with no luck

  • Use them on the webapp with the login page.
  • i am able to calculate the file name, but can't bypass php ext filter. am i on wrong track ?

    Hack The Box

  • So, I was able to find the endpoint @1NC39T10N was talking about, but I have absolutely no clue for what to query, anybody can give a little hint?

  • edited January 2019

    @1NC39T10N said:
    I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it's a hackthebox first and it's becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

    The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

    Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

    The name of the person who gives the "message" is not important; however, @cymtrick gives a clue in the wording of his message.

    Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn't appear to have any endpoints as you cannot GET anything. Thus, it isn't a REST API; however, there is a single endpoint, and it does have a g**** api =)

    This actually helped me, now I have the credentials but I don't know how to use them. Tried to use them on port 80 aswell as ssh which didn't work out.

    I guess these creds are tied to g*****l?

    Hack The Box

  • edited January 2019

    @Crizzpy said:

    @1NC39T10N said:
    I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it's a hackthebox first and it's becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

    The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

    Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

    The name of the person who gives the "message" is not important; however, @cymtrick gives a clue in the wording of his message.

    Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn't appear to have any endpoints as you cannot GET anything. Thus, it isn't a REST API; however, there is a single endpoint, and it does have a g**** api =)

    This actually helped me, now I have the credentials but I don't know how to use them. Tried to use them on the port 80 login page aswell as ssh which didn't work out.

    I guess these creds are tied to ******?

    No. They are tied to the webapp. Passwords are usually hashed right? Crack it.

  • jkrjkr
    edited January 2019
    There is also rainbow tables for certain hash types. No need to crack. Safe your CPU for other things... :joy:
  • Is it supposed to have a shell.php in knowledge base?

  • Anyone able to point me in the right direction regarding Priv Esc to get root? Did some enumeration and did not find anything that immediately sticks out. Read a few config and .json files but does not seem of interest?

  • User much more complicated then root

    OSCP

    Hack The Box

  • edited January 2019

    edit - d'oh!

  • Hopefully these are helpful hints without giving away too much:

    User - Don't always assume you're doing things wrong. If you have a tool to help you exploit something, don't assume it will work as-is.

    Root - Stick to the basics to enumerate the system to find out what is on there.

    As some others said, you can go about getting user by just focusing on the first service you see, but the other service you see is a good learning experience to help you get a foothold.

    billbrasky

  • Rooted twice (two different methods).

  • Is it just me or does the method to find payload only work some of the time? I can't get it to work reliably, it's pretty frustrating.

  • edited January 2019

    port XXXX is down any body online now..?

  • I need a bit of help with the time travel, I believe I have the right path and time, but it is not finding my payload...

  • I really enjoyed this box :) seems to be PWK/OSCP like and has a little bit of everything!! Tricky but in a very good way!!!

    Thanks a lot @cymtrick

    Hack The Box
    -OSCP-

  • Rooted it, anyone need some nudge can dm me ;)
  • edited January 2019

    Hmm... I get the references to time travel and have been working on that on things that should get uploaded, and a thing you might make in Excel on the other port that gave me credentials.

    I have 'made' the correct URL as the googleable exploits may not be quite pointing to the right place (confirmed via github) - I have the correct skew or near enough and have changed the script to give a range of a few units of measurement either side to ensure it's caught, but I can't find my upload that is legit. let alone the 'errored' ones.

    Can I get directly to this from the thing you might make in Excel? I couldn't see anything other than creds... which makes me wonder how people got to it directly from the other site, you presumably need those creds?

    I am sure I am missing something painfully obvious.

    da1y

    OSCP | eCPPTv2 | eJPT

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • Got the box, however, I feel like maybe I didn't properly utilize the creds on port XXXX. Were there anything more to them than the webapp? Pretty sure I could have exploited the webapp without creds.

  • @billbrasky said:
    Hopefully these are helpful hints without giving away too much:

    User - Don't always assume you're doing things wrong. If you have a tool to help you exploit something, don't assume it will work as-is.

    +1 -- I've seen instances where a tool explicitly caused any IP with 0 in it to error; presumably for no apparent reason other than to troll skids, but one wouldn't know it without a code review; the takeaway is that there's value in troubleshooting tools instead of just assuming it's your fault right away.

    -Keep Learning
  • I've got credentials from port XXXX and access to the url paths of my uploads on the webapp but I would really appreciate a nudge on how to get my payloads to work.

  • Someone can give me some nudge for get credentials? Thx anyway

    Chricatanese46

Sign In to comment.