Hint for HELP

145791029

Comments

  • i just found three ports ,webapp dir , and i know the script, i tried upload shell.php.jpg, it doesn't work(i did found the correct url by script) i don't know how to use, i didn't found sqli. Anyone PM me, hit me plz.........

  • Finally got root on the box. It was honestly a fun box. I learned a lot. There are a couple of trivial parts you need to tackle for the initial foothold (USER).

    USER: There are two different ways. I went with the unauthenticated way. I also got the user creds for the authenticated way but didn't try it yet. As I mentioned before, you need to solve the trivial parts in order to get a successful RCE. :)

    ROOT: As mentioned by many people, stick to the basics. Most famous ones are not always your friend :-]

    For the USER part I got some help from Forum, please PM me if you need some help.

    Enjoy!

  • finally got root after 2 days stuck. this machine remind me to not overthinking ^^

  • @d4z3c said:
    Finally rooted! Thanks @Spiderixius for your hints and @cymtrick for the box. User was frustrating.....

    Good work!

  • edited January 2019

    Read the source code. It's lame as hell. I don't even know why the software bother to put out an error message. The alternative method is kinda cool. Let's just say that it competes with the motionless architecture and a social media giant (starts with F) started it first.

    limbernie
    Write-ups of retired machines

  • Ahhh... wow I made this much harder than it should have been.. pm me if you are stuck.

    Hints:
    User: i went unauthenticated.. just make sure you read the usage and sample usage of things..

    Root: Really don't assume things.. don't think wow that's recent there's no way...

    Hack The Box

  • edited January 2019

    Newb here!

    So I'm going the easy way, and I'm at the part where I'm running a script. I believe I have the right command, but it can't seem to find my file I uploaded.

    After reading through hints, it has something to do with time. I changed my boxes time to the same as the the Help box, still no luck. I think I have to adjust something in the script's code but I'm unsure how.

    If someone could point me in the right direction and give me a nudge that would be gr8.

  • hey guyz cn you help me for unauth shell access. i tried. but still i couldnt get the shell

  • Hello guys, can someone help me please on this machine .. i'm stuck .... thanks in advance :) <3

  • As some others have said, running into restrictions on filetypes here. I've looked around at using null chars, multiple file extensions, checked thru the code that's doing the validating, but no luck.

    Is there a technique that you're using to upload a certain filetype? Or was it just allowed on the box when you tried it?

  • Check the code more…

  • rooted it. hint for root. if you done with most vulnhub machines. u cn root this easily. hahahahaa

  • Damn, I spent too much time banging my head against the wall on some stupid mistakes. I went the easy (unauthenticated) route, since I couldn't figure out the high port endpoint, and after reading the code I'm not sure how I was supposed to discover that other than a wild guess.

    Hint for user: go read the code, seriously, pay close attention to it, don't trust the exploit documentation over what you're seeing, but the exploit code is correct.

    Hint for root: I hate typing in the wrong window almost as much as I hate Caps lock.
  • edited January 2019

    Any hints for Priv Esec looked at searchsploit, keep getting an error on execution

    ./xxxxx
    error invalid argument

    executing from within a reverse python shell

  • edited January 2019

    rooted! Great Box! Credit to @Sekisback for hints
    This box is 100% searching in google for specific exploits.
    For User : i didn't find any creds. just run the exploit on the right place.
    For Root : basic exploitation

  • Finally root! I Really enjoy this box. Congrats to the creator, good fun!
    Didn't use N****** on port XXXX but i will give it a try.
    User: Read the code, careful... don't just use it as is... ;-)
    Root: too easy... seriously, its that obvious.

  • edited January 2019

    removed

  • edited January 2019

    anyone care to drop a nudge? I've found the exploit (i guess) and i can bypass the file extension for the unauthenticated way, but it just doesn't work. Maybe it has something to do about the time that everyone is talking about, but no clue :|

    Edit: got it

  • Interesting machine - learnt a couple of new things. Thank you to the creator, @cymtrick. :D

  • (12) 2 Days for this [ 99% of time = user, 1% of time = root ]
    Special Thanks for one guy for his great explanation.

    ASHacker

  • edited January 2019

    @clacky said:
    As some others have said, running into restrictions on filetypes here. I've looked around at using null chars, multiple file extensions, checked thru the code that's doing the validating, but no luck.

    Is there a technique that you're using to upload a certain filetype? Or was it just allowed on the box when you tried it?

    Same boat here. Ive tried all the usual file upload bypasses. I have underlying DB access and can see that the allowed file types differs from the default install of the web app. No other users have less restrictions or another upload avenue. I cant get anything successfully uploaded with an executable extension.

    With the current config that I am seeing there is no way that unauthenticated fire and forget upload script works...

    If any HTB users have helped you with a challenge or hint please consider giving them +respect on their profile.
    Here is mine is you would like to do so.
    https://www.hackthebox.eu/home/users/profile/50326

  • The admin of this box is lazy and a troll, yet has immaculate restraint when it comes to reusing creds. Make of that what you will.

    Hack The Box

  • Anyone wanna PM hints to get > @vict0ni said:

    anyone care to drop a nudge? I've found the exploit (i guess) and i can bypass the file extension for the unauthenticated way, but it just doesn't work. Maybe it has something to do about the time that everyone is talking about, but no clue :|

    Banging my head on this too. Anyone got any pointers, or any tips on how to get the user creds via the high port number service?

  • So succeded in gettin login credentials to platform via highport service. Any pointers on to bypass filters :)?

  • So, I was able to root the box but I don't think I did it the way that it was intended to get the root flag. I would be interested in talking to someone on two things:

    1. Those that used the SQLi approach, was it successful? I couldn't ever get it to work.
    2. Those who got the root flag how did you do it?
  • @ChiefCoolArrow said:

    @clacky said:
    As some others have said, running into restrictions on filetypes here. I've looked around at using null chars, multiple file extensions, checked thru the code that's doing the validating, but no luck.

    Is there a technique that you're using to upload a certain filetype? Or was it just allowed on the box when you tried it?

    Same boat here. Ive tried all the usual file upload bypasses. I have underlying DB access and can see that the allowed file types differs from the default install of the web app. No other users have less restrictions or another upload avenue. I cant get anything successfully uploaded with an executable extension.

    With the current config that I am seeing there is no way that unauthenticated fire and forget upload script works...

    interesting, if you have DB access couldn't you add some rows?

  • This box is easy, I struggled a bit at first but was able to root it. Looking at the source code helped so as to know how to use the exploit. I tried both unauthenticated and authenticated ways and there was really no difference on how the exploit worked. Best time to try the box is immediately after a reset.

    Otherwise I'm happy to provide hints if you're stuck.

    ikuamike

  • @ikuamike, how did you get around file upload restrictions for unauth exploit? I'm assuming you need to get a certain filetype onto the server to then run with that exploit?

  • edited January 2019

    @clacky said:
    @ikuamike, how did you get around file upload restrictions for unauth exploit? I'm assuming you need to get a certain filetype onto the server to then run with that exploit?

    Spoiler Removed

    ikuamike

  • edited January 2019

    removed

Sign In to comment.