Official Jewel Discussion

12467

Comments

  • Type your comment> @mandev said:

    I find the right cve but page gives 500 error. I tryed ar****s instead of us*rs but not luck. Any nudge?

    It will respond with 500 but still go through. Try sending multiple requests and reload the page to see if it's reflected. Curl/burp/zap works better than going through the browser as well.

    elseif

  • Type your comment> @elseif said:

    Type your comment> @mandev said:

    I find the right cve but page gives 500 error. I tryed ar****s instead of us*rs but not luck. Any nudge?

    It will respond with 500 but still go through. Try sending multiple requests and reload the page to see if it's reflected. Curl/burp/zap works better than going through the browser as well.

    For pa****d part only changing cond is enough right? and remote address to ofcource :) If it fails then its cond or encode right?

  • Type your comment> @mandev said:

    Type your comment> @elseif said:

    Type your comment> @mandev said:

    I find the right cve but page gives 500 error. I tryed ar****s instead of us*rs but not luck. Any nudge?

    It will respond with 500 but still go through. Try sending multiple requests and reload the page to see if it's reflected. Curl/burp/zap works better than going through the browser as well.

    For pa****d part only changing cond is enough right? and remote address to ofcource :) If it fails then its cond or encode right?

    Hmmm pm me and show me what you've been trying. I think you might be stuck in a rabbit hole.

    elseif

  • Type your comment> @UrbanMystery said:

    Hmm, can't seem to establish a reverse-shell connection, might be payload encoding (although it seems fine) - anybody have any tips?

    I am in the same boat mate.

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • rooted. thanks @sm4sh0ps for confirming i was on the right track, and @Hyp3rDrive for the idea to use the snake to encode the payload for the foothold.

    not much to add that hasn't already been said, apart from if you think you are doing everything right for the foothold, check your encoding again. and watch out for shady characters.

  • i am still stuck on this The change you wanted was rejected. > > Maybe you tried to change something you didn't have access to. ...........................

    does any one have any clue how to deal with it, I have reset the browser, the box, the pvn pack , I already have the user flag , while moving on to root I am stuck back at square one.

  • Type your comment> @mohsinhakak said:
    > i am still stuck on this The change you wanted was rejected. > > Maybe you tried to change something you didn't have access to. ...........................
    >
    > does any one have any clue how to deal with it, I have reset the browser, the box, the pvn pack , I already have the user flag , while moving on to root I am stuck back at square one.

    I got this after the box was reset and the account I created was deleted. creating a new one fixed it.
  • Type your comment> @mohsinhakak said:

    i am still stuck on this The change you wanted was rejected. > > Maybe you tried to change something you didn't have access to. ...........................

    does any one have any clue how to deal with it, I have reset the browser, the box, the pvn pack , I already have the user flag , while moving on to root I am stuck back at square one.

    I get that all the time.
    Worked using Chromium and when I switched my own VM (kali VM)

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • I need a nudge with root. The is something wrong with the Time :(

  • Rooted. Thanks @pizzapower for helping with a scanning tool.

    My best recommendation for foothold is to set up that environment yourself. Works like a charm after that :)

    ruskii

  • Done,
    Good box, not very fun, but i've learnt a couple if interesting things..

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • What payload to use for rev shell? Only touch command seems to work, nothing else is working.

  • Type your comment> @pswalia said:

    What payload to use for rev shell? Only touch command seems to work, nothing else is working.

    DM me if you're still stuck.

    Feel free to PM me, but please ask good questions: https://www.shorturl.at/fmAX6

  • Type your comment> @PapyrusTheGuru said:

    Type your comment> @pswalia said:

    What payload to use for rev shell? Only touch command seems to work, nothing else is working.

    DM me if you're still stuck.

    i stuck at the same part..

  • You may have the right payload but it doesn't work straight away as other payloads do. There's caching involved, etc, so it might take a few more steps to actually trigger it.

    lebutter
    eCPPT | OSCP

  • The vuln can be hard to find. For what is worth, when a vulnerability has a CVE documented by NVD, it'll show up after a search here: https://nvd.nist.gov/vuln/search - so worth a shot to see if there are potential candidates in there.
    The usual 2cents:
    Foothold/User: CVE has a PoC showing the way to generate a valid payload - look at the code to figure out where to use it
    Root: while doing your usual check you'll realize what this is about - and you're a couple of commands from root

  • If anybody cared to set up the whole environment locally, other payloads will not work. > @Timdb said:
    > Type your comment> @PapyrusTheGuru said:
    >
    > (Quote)
    > i stuck at the same part..

    If anybody cared to set up the whole environment locally(like me), other payloads will not work locally. But everything works on the box. I was trying to reproduce everything locally but none other than "touch" seems to work. So do it directly on the box itself. Now I am trying for the root.
  • Type your comment> @iWillBeFamous said:

    got some hashes can't crack them tho....

    me too

    SwapnilMane

  • The box is very slow tonight... ssh connection take so much time (yes I've put a public key in it) and broken pipe occurs a lot...

  • Spoiler Removed

  • For the timing issue, i'd recommend that you use the mobile app version with time synced there. I couldn't get anything on my machine to work, even with perfect synchronization.

    lebutter
    eCPPT | OSCP

  • Just Rooted. Learnt 2fa implementation. Good box. Pm for hints. Thanks to @ruskii and @zweeden for hints.

  • edited October 2020

    rooted! nice one!

    aimforthehead

  • Type your comment> @aimforthehead said:

    keep getting Error "Operation not permitted" while writing config" after
    entering the T** code. anyone have any idea ?

    It's time based. Try to sync your box as close to the HTB one as possible. If not, use the mobile phone app - this worked for me.

    lebutter
    eCPPT | OSCP

  • Rooted !
    My first box !
    Lot of fun and rage ! I feel very stupid about the right escalation...

  • Rooted, PM for hints.

    Feel free to PM me, but please ask good questions: https://www.shorturl.at/fmAX6

  • Rooted. If you need some help, DM me.

    user: very easy. search cvss and get shell
    root:time is ur friend. It's very frustrating.

    gl next

  • I know some people built their own env over using the poc, I'd like to see how that's done if someone could dm me.

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • Having problems getting root. I found the time based thing at home but I can't find anything that seems to use it. Appreciate if anyone can help!

  • edited October 2020

    # id
    uid=0(root) gid=0(root) groups=0(root)

    Finally rooted! Once I got the foothold working priv esc was very simple, took like 30 min. Foothold was a pain in the ass tho, the payloads are very fidgety so if one isn't working, try a different one. Massive thanks to @PapyrusTheGuru for his help determining which shells the server refuses to execute.

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

Sign In to comment.