Celestial hint

145791012

Comments

  • Any particular reason my code would work one day and not now? I see others have had trouble with this and eventually got this, but I've tried at least once a day the past few days with the same exact code.

  • Nevermind. Backspace is the death of me.

  • Machine get's down 50% of the time and this is really annoying(
    I think that I totally lost on privesc, could someone DM me please?

  • @STingER said:
    Machine get's down 50% of the time and this is really annoying(
    I think that I totally lost on privesc, could someone DM me please?

    YESSSSSSS!!!!!! who's crashing it plz stop doing so

  • edited June 2018

    the exploits that you have to use for user is interesting. but priv esc is not implemented well at all, Spoiler Removed - Arrexel .Also, lets not forget that the machine crashes for 20 min every 10 min ANDDDD when the machine crashes which means every 10 min, you have to re-exploit the user. pretty bad implementation. at least give ssh. ( DONT REPLY WITH GET VIP MEMBERSHIP cuz other free boxes are smoothly implemented with much harder exploitation) PEACE

  • @xtech said:
    the exploits that you have to use for user is interesting. but priv esc is not implemented well at all, you edit the file and you have to wait. once the time is already there, some other idiot edits the file with wrong input, then you have to get into an editing war with other people.Also, lets not forget that the machine crashes for 20 min every 10 min ANDDDD when the machine crashes which means every 10 min, you have to re-exploit the user. pretty bad implementation. at least give ssh. ( DONT REPLY WITH GET VIP MEMBERSHIP cuz other free boxes are smoothly implemented with much harder exploitation) PEACE

    Waiting 5 minutes wouldn't be so bad if the box could stay up for more than 5 minutes at a time...

  • There are some reverse shells for this platform that should not crash the server - according to a comment in the code. As far as I can tell from my tests this is not true (unless every time I tested with such shells somebody crashed the server with their hack).

    Otherwise, it's a really interesting box. I also agree with @3ndG4me that you don't need THAT ARTICLE. Seems I did not find it initially, but used only more generally advice on vulnerabilities in code in this language - which evil function not to use as a developer ;-) I learned a lot from building up my own exploit code, testing snippets in the browser console locally etc. You can trigger different server-side messages, and one will confirm that you are on the right track as it mentions the evil function ;-)

    I also tried different variations for the reverse shell code in that language - seems with some shells you get you an initial connect but then they aren't stable ... which can be hard to troubleshoot because of the frequents resets. I finally found THAT ARTICLE but only used the part of another linked article that creates the reverse shell - seems that shell was more stable than others. I would be interested in discussing details over PM - which reverse shell code you used and what detail of the code really makes the shell stable ... I think it is related to handling errors and disconnects ...

  • Got root but I think that I missed few things. Can somebody DM me to discuss please?

  • edited June 2018

    Hi Could someone PM me how to advance (trying to get user access), I can't find "the article" everyone is referring to. Thanks!

  • @BobBobbington said:
    Hi Could someone PM me how to advance (trying to get user access), I can't find "the article" everyone is referring to. Thanks!

    I pm you

  • @s2233 said:
    Waiting 5 minutes wouldn't be so bad if the box could stay up for more than 5 minutes at a time...

    >

    yeah wait 5 min but how about someone changes your script to a reverse shell in these minutes, deleting your script and crashing the server :-1:

  • As I'd been asked per PM - I rooted it, but I would be interested in discussing details of others' reverse shell code over PM. I wrote my own script for piecing together the exploit, and I tested snippets of code for creating a reverse shell. I'd like to understand why and if some shells are more stable than others - even if they all use the same core code that actually makes the connection ...

  • Should possibly correct that spoilery wording...

    @kekra said:
    As I'd been asked per PM - I rooted it, but I would be interested in discussing details of others' reverse shell code over PM.

    I am really most interested in learning what features would generally make a reverse shell stable (in whatever programming language) in an unreliable environment such as this box is .... Scrolling back in this thread shows that others also said the same code was working for them at one day, and then the other day not.

    What I should also add: I become VIP member yesterday, so when I finally rooted it - using a seemingly good version of the code - I was working on a more stable machine.

  • yntaxError: Unexpected token

       at Object.parse (native)
       at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js:62:16)
       at /home/sun/server.

    when ever i try to get the reverse shell i get this why is it so can someone please tell me

    stevv

  • Just pwned this - If anybody needs some hints DM me

  • ;-; whyz you needz hintz

  • edited June 2018

    when ever i am running the exploit i am getting
    An error occurred...invalid username type

    why is it so can you help me

    nvm got it

    stevv

  • @stevv said:
    when ever i am running the exploit i am getting
    An error occurred...invalid username type

    why is it so can you help me

    Feel free to PM me - I'll try to help debug it with you

    drtychai

  • Hi everyone,
    I try to get the user's flag via the cookie to inject system commands but without success.
    I get this page:
    "Hey Dummy undefined + undefined is NaN"
    I think it's a syntax error but I'm not sure.
    Can anyone PM me to debug this with me please ?

  • @stevv said:
    when ever i am running the exploit i am getting
    An error occurred...invalid username type

    why is it so can you help me

    nvm got it

    I am stuck on that bit, could you PM me what you changed? I think I'm missing something obvious

  • can someone help me here in the last step of priv escalation but not getting the s**** back but when i manually run it its getting a connection back

    stevv

  • Hi all, I'm sending the exploit correctly, however I don't seem to be getting a response, any tips, PM me?

  • if somebody needs any help pm me

    stevv

  • @xtech said:

    @s2233 said:
    Waiting 5 minutes wouldn't be so bad if the box could stay up for more than 5 minutes at a time...

    >

    yeah wait 5 min but how about someone changes your script to a reverse shell in these minutes, deleting your script and crashing the server :-1:

    Hey @xtech I 100% agree with you. That is something I personally had not considered when designing the priv esc. It definitely makes things trickier in the free HTB environments. I can't undo the damage in this case unfortunately, but I definitely have a solution to prevent a poor design choice like this should I use a similar technique for a challenge in the future.

    I really appreciate you speaking up about that issue, it forced me to really think about the design of machines for HTB, and come up with a better way to implement something like that later on.

  • @s2233 said:

    Hey @xtech I 100% agree with you. That is something I personally had not considered when designing the priv esc. It definitely makes things trickier in the free HTB environments. I can't undo the damage in this case unfortunately, but I definitely have a solution to prevent a poor design choice like this should I use a similar technique for a challenge in the future.

    I really appreciate you speaking up about that issue, it forced me to really think about the design of machines for HTB, and come up with a better way to implement something like that later on.

    yeah i knew the solution to get root but waited for the next day to execute it due to that guy who kept changing my script. However, the user exploit was good. Anyway, thanks for your contribution :)

  • Hi , I am terribly new I got how to use burp. But I keep getting the invalid username.

    Please PM me with a point in the right direction.

  • @muckitymuck said:
    Hi , I am terribly new I got how to use burp. But I keep getting the invalid username.

    Please PM me with a point in the right direction.

    Coffee break and comeback :+1:

    Arrexel

  • edited June 2018

    Still struggling on my 3rd day with this machine....hmm...still at getting user flag - got the payload but keep getting http error code 500 - unexpected token - even though i send the user etc in the payload request - any hints please PM me, thanks.

    ninpox

  • any tip for celestial exploit?

  • Having some difficulty with the Celestial payload. If someone could PM me, I would appreciate it.

Sign In to comment.