I find the right cve but page gives 500 error. I tryed ar****s instead of us*rs but not luck. Any nudge?
It will respond with 500 but still go through. Try sending multiple requests and reload the page to see if it's reflected. Curl/burp/zap works better than going through the browser as well.
I find the right cve but page gives 500 error. I tryed ar****s instead of us*rs but not luck. Any nudge?
It will respond with 500 but still go through. Try sending multiple requests and reload the page to see if it's reflected. Curl/burp/zap works better than going through the browser as well.
For pa****d part only changing cond is enough right? and remote address to ofcource If it fails then its cond or encode right?
I find the right cve but page gives 500 error. I tryed ar****s instead of us*rs but not luck. Any nudge?
It will respond with 500 but still go through. Try sending multiple requests and reload the page to see if it's reflected. Curl/burp/zap works better than going through the browser as well.
For pa****d part only changing cond is enough right? and remote address to ofcource If it fails then its cond or encode right?
Hmmm pm me and show me what you've been trying. I think you might be stuck in a rabbit hole.
rooted. thanks @sm4sh0ps for confirming i was on the right track, and @Hyp3rDrive for the idea to use the snake to encode the payload for the foothold.
not much to add that hasn't already been said, apart from if you think you are doing everything right for the foothold, check your encoding again. and watch out for shady characters.
i am still stuck on this The change you wanted was rejected. > > Maybe you tried to change something you didn't have access to. ...........................
does any one have any clue how to deal with it, I have reset the browser, the box, the pvn pack , I already have the user flag , while moving on to root I am stuck back at square one.
Type your comment> @mohsinhakak said:
> i am still stuck on this The change you wanted was rejected. > > Maybe you tried to change something you didn't have access to. ...........................
>
> does any one have any clue how to deal with it, I have reset the browser, the box, the pvn pack , I already have the user flag , while moving on to root I am stuck back at square one.
I got this after the box was reset and the account I created was deleted. creating a new one fixed it.
i am still stuck on this The change you wanted was rejected. > > Maybe you tried to change something you didn't have access to. ...........................
does any one have any clue how to deal with it, I have reset the browser, the box, the pvn pack , I already have the user flag , while moving on to root I am stuck back at square one.
I get that all the time.
Worked using Chromium and when I switched my own VM (kali VM)
You may have the right payload but it doesn't work straight away as other payloads do. There's caching involved, etc, so it might take a few more steps to actually trigger it.
The vuln can be hard to find. For what is worth, when a vulnerability has a CVE documented by NVD, it'll show up after a search here: https://nvd.nist.gov/vuln/search - so worth a shot to see if there are potential candidates in there.
The usual 2cents:
Foothold/User: CVE has a PoC showing the way to generate a valid payload - look at the code to figure out where to use it
Root: while doing your usual check you'll realize what this is about - and you're a couple of commands from root
If anybody cared to set up the whole environment locally, other payloads will not work. > @Timdb said:
> Type your comment> @PapyrusTheGuru said:
>
> (Quote)
> i stuck at the same part..
If anybody cared to set up the whole environment locally(like me), other payloads will not work locally. But everything works on the box. I was trying to reproduce everything locally but none other than "touch" seems to work. So do it directly on the box itself. Now I am trying for the root.
For the timing issue, i'd recommend that you use the mobile app version with time synced there. I couldn't get anything on my machine to work, even with perfect synchronization.
Finally rooted! Once I got the foothold working priv esc was very simple, took like 30 min. Foothold was a pain in the ass tho, the payloads are very fidgety so if one isn't working, try a different one. Massive thanks to @PapyrusTheGuru for his help determining which shells the server refuses to execute.
Always happy to help, DM me if you need anything! Link to Profile
Comments
Type your comment> @mandev said:
It will respond with 500 but still go through. Try sending multiple requests and reload the page to see if it's reflected. Curl/burp/zap works better than going through the browser as well.
Type your comment> @elseif said:
For pa****d part only changing cond is enough right? and remote address to ofcource
If it fails then its cond or encode right?
Type your comment> @mandev said:
Hmmm pm me and show me what you've been trying. I think you might be stuck in a rabbit hole.
Type your comment> @UrbanMystery said:
I am in the same boat mate.
Always happy to help others. 100% human
https://www.mindfueldaily.com/livewell/thank-you/
rooted. thanks @sm4sh0ps for confirming i was on the right track, and @Hyp3rDrive for the idea to use the snake to encode the payload for the foothold.
not much to add that hasn't already been said, apart from if you think you are doing everything right for the foothold, check your encoding again. and watch out for shady characters.
i am still stuck on this The change you wanted was rejected. > > Maybe you tried to change something you didn't have access to. ...........................
does any one have any clue how to deal with it, I have reset the browser, the box, the pvn pack , I already have the user flag , while moving on to root I am stuck back at square one.
> i am still stuck on this The change you wanted was rejected. > > Maybe you tried to change something you didn't have access to. ...........................
>
> does any one have any clue how to deal with it, I have reset the browser, the box, the pvn pack , I already have the user flag , while moving on to root I am stuck back at square one.
I got this after the box was reset and the account I created was deleted. creating a new one fixed it.
Type your comment> @mohsinhakak said:
I get that all the time.
Worked using Chromium and when I switched my own VM (kali VM)
Always happy to help others. 100% human
https://www.mindfueldaily.com/livewell/thank-you/
I need a nudge with root. The is something wrong with the Time
Rooted. Thanks @pizzapower for helping with a scanning tool.
My best recommendation for foothold is to set up that environment yourself. Works like a charm after that
Done,
Good box, not very fun, but i've learnt a couple if interesting things..
echo start dumb.bat > dumb.bat && dumb.bat
doh!
What payload to use for rev shell? Only touch command seems to work, nothing else is working.
Type your comment> @pswalia said:
DM me if you're still stuck.
Feel free to PM me, but please ask good questions: https://www.shorturl.at/fmAX6
Type your comment> @PapyrusTheGuru said:
i stuck at the same part..
You may have the right payload but it doesn't work straight away as other payloads do. There's caching involved, etc, so it might take a few more steps to actually trigger it.
eCPPT | OSCP
The vuln can be hard to find. For what is worth, when a vulnerability has a CVE documented by NVD, it'll show up after a search here:
https://nvd.nist.gov/vuln/search
- so worth a shot to see if there are potential candidates in there.The usual 2cents:
Foothold/User: CVE has a PoC showing the way to generate a valid payload - look at the code to figure out where to use it
Root: while doing your usual check you'll realize what this is about - and you're a couple of commands from root
> Type your comment> @PapyrusTheGuru said:
>
> (Quote)
> i stuck at the same part..
If anybody cared to set up the whole environment locally(like me), other payloads will not work locally. But everything works on the box. I was trying to reproduce everything locally but none other than "touch" seems to work. So do it directly on the box itself. Now I am trying for the root.
Type your comment> @iWillBeFamous said:
me too
The box is very slow tonight... ssh connection take so much time (yes I've put a public key in it) and broken pipe occurs a lot...
Spoiler Removed
For the timing issue, i'd recommend that you use the mobile app version with time synced there. I couldn't get anything on my machine to work, even with perfect synchronization.
eCPPT | OSCP
Just Rooted. Learnt 2fa implementation. Good box. Pm for hints. Thanks to @ruskii and @zweeden for hints.
rooted! nice one!
Type your comment> @aimforthehead said:
It's time based. Try to sync your box as close to the HTB one as possible. If not, use the mobile phone app - this worked for me.
eCPPT | OSCP
Rooted !
My first box !
Lot of fun and rage ! I feel very stupid about the right escalation...
Rooted, PM for hints.
Feel free to PM me, but please ask good questions: https://www.shorturl.at/fmAX6
Rooted. If you need some help, DM me.
user: very easy. search cvss and get shell
root:time is ur friend. It's very frustrating.
gl next
https://www.hackthebox.eu/home/users/profile/50727
I know some people built their own env over using the poc, I'd like to see how that's done if someone could dm me.
Always happy to help, DM me if you need anything!
Link to Profile
Having problems getting root. I found the time based thing at home but I can't find anything that seems to use it. Appreciate if anyone can help!
# id
uid=0(root) gid=0(root) groups=0(root)
Finally rooted! Once I got the foothold working priv esc was very simple, took like 30 min. Foothold was a pain in the ass tho, the payloads are very fidgety so if one isn't working, try a different one. Massive thanks to @PapyrusTheGuru for his help determining which shells the server refuses to execute.
Always happy to help, DM me if you need anything!
Link to Profile