Hint for HELP

1235729

Comments

  • Rooted. I used the obvious way.
    If someone knows other ways to root please PM me so we can discuss.

  • mystified as to how everyone else is getting the script to return results

  • I'm having some bad luck with the VPN connection so my script fails intermittent.

  • Managed to get user, working on priv esc now :)

  • So I'm stuck on just getting user. I retrieved some creds from that high port service, logged into the web app using them.

    Didn't see much other than a little bit less blindness.

    I did get a fixed up exploit to give me a helpful URL.

    However I can't seem to move past the filtering to execute my shellcode.

    Should I have stuck with just the high-port service for getting a shell or is the web app the right direction?

    Anyone have any php pages they'd recommend for filtering bypass ideas?

  • I'm assuming resets would also cover databases and that the challenge isn't broken from others modifying it.

  • Fun box! My advice is to examine the upload code and the exploit code closely, and edit as needed -- might have to do some manual experimentation. After finding your shell, it's a quick step to root! Basic, basic enum.

  • Yeah, I got the upload code part and exploit code finds a URL. However, I can't get RCE for a user shell.

  • Man, looks like lots of resets hitting now

  • i think i know what i need to do but i cant get around the upload filter it's driving me nuts

  • I feel like I'm missing something on root....

  • Looks like someone is messing with the server and breaking the challenge. get a Forbidden message for the web app now.

  • edited January 2019

    Anyone have any good links for filter evasion tricks?

    I've tried all the one's that Google provided, but none of my ideas worked out.

  • edited January 2019

    rooted!
    Machine was quite useful, although it is very basic it taught me to actually pay attention to the basics and stop skipping shit. As soon as the route to r00t was hinted I figured out exactly what I did wrong and I won't be doing that again!

    Good machine though

  • spent hours working on the file extension bypass, including reading source code, any nudges would be appreciated as i'm going insane

  • edited January 2019

    Got a copy of the code from github running local. I can push up my payload local all day long, I can find it and execute it. NP. When pushing to help if I have that certain extension I get an error "File not allowed" if I push up with "filename.php.txt" I don't but then I can't execute the file I uploaded. it displays. WTF.... Appears code has been modified from whats on github.

  • edited January 2019

    @Barn3y said:
    Got a copy of the code from github running local. I can push up my payload local all day long, I can find it and execute it. NP. When pushing to help if I have that certain extension I get an error "File not allowed" if I push up with "filename.php.txt" I don't but then I can't execute the file I uploaded. it displays. WTF.... Appears code has been modified from whats on github.

    Removed

    m4rc1n

  • edited January 2019

    That moment when you've got user and are about to privesc, then the box gets reset and the identical path you used to get to where you were no longer works.

    ¯ _(ツ)_/¯

    Hack The Box

  • @rejoinder said:
    That moment when you've got user and are about to privesc, then the box gets reset and the identical path you used to get to where you were no longer works.

    ¯ _(ツ)_/¯

    I do not think there is really more than one path. What is suggested as a easy way basically does not work (at least on a fresh machine after reset). The difficult path seems to nicely reproducable.

    m4rc1n

  • edited January 2019

    Rooted. Cool box!

    User:
    There are indeed two ways to solve it: a) as an unauthenticated user (simpler) and b) as an authenticated user (harder, blind sqli, you have to find the credentials first). Adjust your scripts accordingly, and please, for the love of God, DO NOT rely on error messages.

    Root:
    Easier than user. It took me about 5 minutes to solve.

  • edited January 2019

    in some way, that box is misconfigured for the intended way, if there are intended ways in hacking....but it's a nice box, I enjoyed it

    peek

  • I don't understand why I did not find anything looking for file uploaded.
    Is there a problem with time?

  • Rooted.....Very simple Machine just initial part is little bit tricky.

  • edited January 2019

    Hmm my file upload used to work and now it does not? Has anyone experienced this problem?

    Edit: Figured it out. There was an issue with the file I was uploading.

  • @Spiderixius said:
    Hmm my file upload used to work and now it does not? Has anyone experienced this problem?

    It should not work.

    m4rc1n

  • Also I have rooted it. PM for hints if needed.

  • Rooted, for a box of 20 points it's not easy at all.

  • I've done two methods of getting into the webapp as an unprivileged user and as an administrator.

    With the second method do I get a shell using a similar method as without auth or is there another way?

    I want to explore more ways than just the unauth way.

  • I used the blind SQL way to get administrator in the webapp. Is there a particular method besides similar to the easy way to go after a shell?

    If the easy way didn't exist as a vuln but the sql injection still did should I expect to find a way to shell?

    I want to make sure I practice the intended ways fully.

Sign In to comment.