Hint for HELP

@opt1kz said:

@r0tt3d said:
Should i keep on trying different bypass methods for my shell upload or am i wasting my time? Should i try and get a shell in a different way?

I really can’t say too much without spoiling things, but I would strongly advise you to review the code on github. If you look closely, you’ll be very surprised at what you find.

This makes it sound like there is a standard place where code for it is kept on github…? Or should I just google search for it? (I’m noob)

Check what software is installed and then search at github. When you downloaded a version and know what files are in a standard installation you can download README or something like that from the server to check what version is installed on the box.

@MrR3boot @cymtrick those were great hints, thanks!

@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

I gotta disagree. Either way into the box is a valid approach.

F**K Express.JS and Node.JS. Is Javascript real language anyway?

F**K.js

Any hints on what to do with the creds from JSON? I tried using them (and derivatives/combinations of them) at various places with no luck

Use them on the webapp with the login page.

i am able to calculate the file name, but can’t bypass php ext filter. am i on wrong track ?

So, I was able to find the endpoint @1NC39T10N was talking about, but I have absolutely no clue for what to query, anybody can give a little hint?

@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.

Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)

This actually helped me, now I have the credentials but I don’t know how to use them. Tried to use them on port 80 aswell as ssh which didn’t work out.

I guess these creds are tied to g*****l?

@Crizzpy said:

@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.

Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)

This actually helped me, now I have the credentials but I don’t know how to use them. Tried to use them on the port 80 login page aswell as ssh which didn’t work out.

I guess these creds are tied to ******?

No. They are tied to the webapp. Passwords are usually hashed right? Crack it.

There is also rainbow tables for certain hash types. No need to crack. Safe your CPU for other things… :joy:

Is it supposed to have a shell.php in knowledge base?

Anyone able to point me in the right direction regarding Priv Esc to get root? Did some enumeration and did not find anything that immediately sticks out. Read a few config and .json files but does not seem of interest?

User much more complicated then root

edit - d’oh!

Hopefully these are helpful hints without giving away too much:

User - Don’t always assume you’re doing things wrong. If you have a tool to help you exploit something, don’t assume it will work as-is.

Root - Stick to the basics to enumerate the system to find out what is on there.

As some others said, you can go about getting user by just focusing on the first service you see, but the other service you see is a good learning experience to help you get a foothold.

Rooted twice (two different methods).

Is it just me or does the method to find payload only work some of the time? I can’t get it to work reliably, it’s pretty frustrating.