Hint for HELP

@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

I gotta disagree. Either way into the box is a valid approach.

F**K Express.JS and Node.JS. Is Javascript real language anyway?

F**K.js

Any hints on what to do with the creds from JSON? I tried using them (and derivatives/combinations of them) at various places with no luck

Use them on the webapp with the login page.

i am able to calculate the file name, but can’t bypass php ext filter. am i on wrong track ?

So, I was able to find the endpoint @1NC39T10N was talking about, but I have absolutely no clue for what to query, anybody can give a little hint?

@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.

Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)

This actually helped me, now I have the credentials but I don’t know how to use them. Tried to use them on port 80 aswell as ssh which didn’t work out.

I guess these creds are tied to g*****l?

@Crizzpy said:

@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.

Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)

This actually helped me, now I have the credentials but I don’t know how to use them. Tried to use them on the port 80 login page aswell as ssh which didn’t work out.

I guess these creds are tied to ******?

No. They are tied to the webapp. Passwords are usually hashed right? Crack it.

There is also rainbow tables for certain hash types. No need to crack. Safe your CPU for other things… :joy:

Is it supposed to have a shell.php in knowledge base?

Anyone able to point me in the right direction regarding Priv Esc to get root? Did some enumeration and did not find anything that immediately sticks out. Read a few config and .json files but does not seem of interest?

User much more complicated then root

edit - d’oh!

Hopefully these are helpful hints without giving away too much:

User - Don’t always assume you’re doing things wrong. If you have a tool to help you exploit something, don’t assume it will work as-is.

Root - Stick to the basics to enumerate the system to find out what is on there.

As some others said, you can go about getting user by just focusing on the first service you see, but the other service you see is a good learning experience to help you get a foothold.

Rooted twice (two different methods).

Is it just me or does the method to find payload only work some of the time? I can’t get it to work reliably, it’s pretty frustrating.

port XXXX is down any body online now…?

I need a bit of help with the time travel, I believe I have the right path and time, but it is not finding my payload…

I really enjoyed this box :slight_smile: seems to be PWK/OSCP like and has a little bit of everything!! Tricky but in a very good way!!!

Thanks a lot @cymtrick