@r0tt3d said:
Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?
I really can't say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you'll be very surprised at what you find.
@r0tt3d said:
Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?
I really can't say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you'll be very surprised at what you find.
It seems I bypassed the file extensions upload for my php session, but I have not idea where its uploaded to. Looking through the GitHub I dont see anything.
@vanquish said:
It seems I bypassed the file extensions upload for my php session, but I have not idea where its uploaded to. Looking through the GitHub I dont see anything.
Look harder. It tells you where to look if you're reading the code.
@jkr said:
IIRC the time() command in PHP and time.time() in python return UTC.
Weird, if I check the source that worked and time.time() I do get the same value, but time.time() is still not working. I guess it only wanted me to work more.
@dev0id You have to form proper request body with correct params (you get them on errors by the way) in the required format. Make sure you found the correct endpoint like chart. Can't say more without spoiling.
Eventually got user... hours struggling and it was me not adding a certain part to the url of the exploit... Think i will take a power nap before i attempt root. XD
Love the box sofar @cymtrick
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it's a hackthebox first and it's becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.
The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.
Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here
The name of the person who gives the "message" is not important; however, @cymtrick gives a clue in the wording of his message.
Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn't appear to have any endpoints as you cannot GET anything. Thus, it isn't a REST API; however, there is a single endpoint, and it does have a g**** api
Comments
Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?
hint for root please
Got half the user... need some tips for finding the rest?
I really can't say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you'll be very surprised at what you find.
https://i.imgur.com/4jXzPqJ.png
404 Friend Not Founddeleted
My Discord | My Twitter | My Youtube
That is a good hint
It seems I bypassed the file extensions upload for my php session, but I have not idea where its uploaded to. Looking through the GitHub I dont see anything.
Took me a while to know I had to time travel, I feel discriminated.
Look harder. It tells you where to look if you're reading the code.
Edit: Found it. Nice box with little frustration on error msg. Interested to know the other way to get the user.
Learn | Hack | Have Fun
Exactly.. not unless you live in a UTC time zone XD
OSWE | OSCP | CCNA | PMP
You still have to time travel a little bit, or adjust the exploit, which is what I did
OSWE | OSCP | CCNA | PMP
Weird, if I check the source that worked and time.time() I do get the same value, but time.time() is still not working. I guess it only wanted me to work more.
need root help...
If anyone could help me with the Node.js part and how to use it, that would be great. Never used this method and I am a bit lost here.
rooted.. nice box...
Spoiler Removed
the travel in time a bit confused me, how to get back the right value ?
@Seth70 Look at the server header response with a proxy
I did this way too. It's pretty interesting to get the things.
Learn | Hack | Have Fun
@MrR3boot so simple fuzzing for the parameter name and value is not enough? is the etag important?
@dev0id You have to form proper
request bodywith correctparams(you get them onerrorsby the way) in the requiredformat. Make sure you found the correct endpoint likechart. Can't say more without spoiling.Learn | Hack | Have Fun
This might help
a collection of points whose coordinates satisfy a given relation.@cymtrick Nice box dude. Good learning BTW
Learn | Hack | Have Fun
oh noo... XD a bit overthinked by me thx...
Eventually got user... hours struggling and it was me not adding a certain part to the url of the exploit... Think i will take a power nap before i attempt root. XD
Love the box sofar @cymtrick
If you are trying to get the upload with a exploit-db thing, you have to modified more than just the time. Hope this isn't taken as sploiler
Got root but am not sure is it intended way or not… Whom can I ask?
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it's a hackthebox first and it's becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.
The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.
Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here
The name of the person who gives the "message" is not important; however, @cymtrick gives a clue in the wording of his message.
Google the
(the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn't appear to have any endpoints as you cannot GET anything. Thus, it isn't a REST API; however, there is a single endpoint, and it does have a g**** api