Hint for HELP

IIRC the time() command in PHP and time.time() in python return UTC.

@jkr said:
IIRC the time() command in PHP and time.time() in python return UTC.

You still have to time travel a little bit, or adjust the exploit, which is what I did :wink:

But it does not have to do with timezones but with poorly synced clocks?

@jkr said:
IIRC the time() command in PHP and time.time() in python return UTC.

Weird, if I check the source that worked and time.time() I do get the same value, but time.time() is still not working. I guess it only wanted me to work more.

need root help…

If anyone could help me with the Node.js part and how to use it, that would be great. Never used this method and I am a bit lost here.

rooted… nice box…

Spoiler Removed

the travel in time a bit confused me, how to get back the right value ?

@Seth70 Look at the server header response with a proxy

@lemarkus said:
If anyone could help me with the Node.js part and how to use it, that would be great. Never used this method and I am a bit lost here.

I did this way too. It’s pretty interesting to get the things.

@MrR3boot so simple fuzzing for the parameter name and value is not enough? is the etag important?

@dev0id You have to form proper request body with correct params (you get them on errors by the way) in the required format. Make sure you found the correct endpoint like chart. Can’t say more without spoiling.

@dev0id said:
@MrR3boot so simple fuzzing for the parameter name and value is not enough? is the etag important?
This might help
a collection of points whose coordinates satisfy a given relation.

@cymtrick Nice box dude. Good learning BTW

@lantog said:
@Seth70 Look at the server header response with a proxy

oh noo… XD a bit overthinked by me thx…

Eventually got user… hours struggling and it was me not adding a certain part to the url of the exploit… Think i will take a power nap before i attempt root. XD
Love the box sofar @cymtrick

If you are trying to get the upload with a exploit-db thing, you have to modified more than just the time. Hope this isn’t taken as sploiler

I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.

Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)

Got user.txt, for root… is the folder with web****.con**.js worth investigating any further? (I feel like i’ve saturated this)

EDIT:

rooted.

This privesc was a slap in the face after playing around for hours - don’t forget the basics.

@opt1kz said:

@r0tt3d said:
Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

I really can’t say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you’ll be very surprised at what you find.

This makes it sound like there is a standard place where code for it is kept on github…? Or should I just google search for it? (I’m noob)