@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.
I gotta disagree. Either way into the box is a valid approach.
@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.
The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.
Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here
The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.
Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)
This actually helped me, now I have the credentials but I don’t know how to use them. Tried to use them on port 80 aswell as ssh which didn’t work out.
@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.
The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.
Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here
The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.
Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)
This actually helped me, now I have the credentials but I don’t know how to use them. Tried to use them on the port 80 login page aswell as ssh which didn’t work out.
I guess these creds are tied to ******?
No. They are tied to the webapp. Passwords are usually hashed right? Crack it.
Anyone able to point me in the right direction regarding Priv Esc to get root? Did some enumeration and did not find anything that immediately sticks out. Read a few config and .json files but does not seem of interest?
Hopefully these are helpful hints without giving away too much:
User - Don’t always assume you’re doing things wrong. If you have a tool to help you exploit something, don’t assume it will work as-is.
Root - Stick to the basics to enumerate the system to find out what is on there.
As some others said, you can go about getting user by just focusing on the first service you see, but the other service you see is a good learning experience to help you get a foothold.