[WEB] interdimensional internet



  • edited January 2020

    oh man this took me ages because of the slow af exfil...
    can't wait to go find some writeups and see if i just did it in a really stupid way lol
    EDIT: yeah i wasted hours because of slow exfil lmao. there's a much better way than acting blind


  • Woohaa got the flag! Learned a lot about python. Thanks @doxxos for the last push!

  • Is it possible to return value from ***k? I would appreciate it if someone can explain this part to me in PM?

  • I found an E**C() injection point, but the R***X is filtering basically everything that I can think of. Can someone inbox me a nudge for this stage?

  • Really enjoyable. Thanks to @seekorswim for the guidance.

  • Help me! I can use sleep on my own vps, but it didn't work in on it. Did I do anything wrong?

  • I got a flag look like HTB{some_text} from that LONG, but when i submit it the system told me it was incorrect. Does it has a fake flag?

  • edited March 2020


  • I saw many here posted that their exploit worked locally but not on the remote host. I'm facing the same issue. Any nudge would be appreciated :)

  • Type your comment> @boris154 said:

    I saw many here posted that their exploit worked locally but not on the remote host. I'm facing the same issue. Any nudge would be appreciated :)

    Finally finished :)
    If anyone else gets stuck with that issue, don't trust your local python (especially on kali), you docker to run it and then test your exploit.

  • Uff... I think I know a lot about it, but... I miss the most important thing! I can't get the site to do even a simple operation! should I forget cookies? :(

  • Interesting challenge, learning an fair tad. Can any one DM me to offer an nudge on the payload part?

  • This was a really tough but awesome challenge. Not sure why it is only worth 30 points, but had a lot of fun figuring out the bypass for local vs. remote :)

    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • I need a nudge for how can I get info from the server using blind attack

  • Completed the challenge, anyone who needs help can ping me

  • well this is impossible on the r***x part, tried everything that was mentioned (encoding, using double) nothing worked, and for some reason there is no simple demonstration on the internet how to workaround this funtion. Might have to use some kind of bruteforce to find the answer... well it was fun until I got to this part lol

  • Really enjoyed this challenge. The biggest challenge was to bypass the 'blind' exfiltration and length restriction. Found a nice way to do both with one method. If you've already solved it, I'll happily disclose my method. If not, think about other ways to send/receive data in a HTTP request/response

  • if anyone is struggling with the length there are shorter ways to reach the func to pull other helping hands. and in some cases, if your request-response doesn't take more than a second you can basically sleep for the amount of time and then round() up in python to know the number instead of checking one by one. lastly, if something is toooooo big, look for other ways to reach it without mentioning it fully. you already have all the helping hands you need to exfil.

  • How the hell was that shit 30 points? Oh geez...
    Feel free to PM for nudges

  • where is methods????? :/

  • Wow, that was very interesting and challenging. Congrats @makelaris , got a lot of fun here.

    A few tips that could be handy:

    1. Try to understand how the application works, don't submit payloads like a crazy.
    2. Replicate locally. You need to do something with the payload to make readable by the application. You can force some custom errors to see if it is working.
    3. Read about what you need and how to exploit it. Doing locally is faster and effective.
    4. After that, you have to bypass some filters, that's a bit tricky.
    5. Some commands might not work. I did it blindly but there are another options.

    Anyways, PM if you are stuck.

  • Finally cleared it today. This challenge is not done just by the 30 points you get for it. Just saying.

  • Super cool challenge, you'll learn so much during this challenge... PM for hints

  • Hi! I'm stuck, my payload is working fine locally but not working in real server. Thanks in advance!!

  • Done! The challenge was really made to benchmark your performance of brain XD. Thanks @makelaris

    Few tips from my side are:

    • Focus more on debugging the source ( to understand all the little bits)
    • For attack, you have to really think how your snake 🐍 bytes
    • Take things nice and slow for the victim to sleep

    That's all, if you still want a nudge then I am just a PM away. Good Luck!

    Life is a game where you only have one life

    --XLD (https://nmnx.org)

  • edited November 2020

    Posted this in the wrong place, would appreciate this be deleted if a mod stumbles across.

  • Need nudge i am stuck in this challenge i am not very good in coding i understand the code can anybody can help me i have written some code when i used that i am getting this error.

    Method Not Allowed

    The method is not allowed for the requested URL.

    Hack The Box
    If i helped you and tried to explained you! just give me a respect. click on the img to get my profile link.!
    Profile : https://www.hackthebox.eu/home/users/profile/17564

  • Woo.... this flag is so damn long :-)

  • edited December 2020


  • I was scared of this one cuz so many people rated it brainfuck, but it's not really any harder than the other 30 and 40 point challenges. Tons of examples on google of what to do, the hardest part for me was getting passed the filter. Also, you aren't blind when you put things in, so theres no reason to lose your eyesight to get things out.


Sign In to comment.