Hint for HELP

F**K.js

Any hints on what to do with the creds from JSON? I tried using them (and derivatives/combinations of them) at various places with no luck

Use them on the webapp with the login page.

i am able to calculate the file name, but can’t bypass php ext filter. am i on wrong track ?

So, I was able to find the endpoint @1NC39T10N was talking about, but I have absolutely no clue for what to query, anybody can give a little hint?

@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.

Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)

This actually helped me, now I have the credentials but I don’t know how to use them. Tried to use them on port 80 aswell as ssh which didn’t work out.

I guess these creds are tied to g*****l?

@Crizzpy said:

@1NC39T10N said:
I want to drop a bit of a hint on this box because a lot of people are not familiar with the intended first step and are basically bypassing the whole first part of this box, which is a shame because it’s a hackthebox first and it’s becoming extremely popular in modern javascript web applications. You will surely see it again in future engagements.

The first step is the application running not on Port 80 or 22. If you look at the server header, you should be able to see the framework. From this you should be able to get the language the backend is coded in.

Note: you will NOT find anything using most wordlists. So gobuster or dirb (etc) are useless here

The name of the person who gives the “message” is not important; however, @cymtrick gives a clue in the wording of his message.

Google the (the last word in his message) + "server (just the word)" + framework + language". Scroll down a bit and you should start seeing results for it. You should have gathered that this server doesn’t appear to have any endpoints as you cannot GET anything. Thus, it isn’t a REST API; however, there is a single endpoint, and it does have a g**** api =)

This actually helped me, now I have the credentials but I don’t know how to use them. Tried to use them on the port 80 login page aswell as ssh which didn’t work out.

I guess these creds are tied to ******?

No. They are tied to the webapp. Passwords are usually hashed right? Crack it.

There is also rainbow tables for certain hash types. No need to crack. Safe your CPU for other things… :joy:

Is it supposed to have a shell.php in knowledge base?

Anyone able to point me in the right direction regarding Priv Esc to get root? Did some enumeration and did not find anything that immediately sticks out. Read a few config and .json files but does not seem of interest?

User much more complicated then root

edit - d’oh!

Hopefully these are helpful hints without giving away too much:

User - Don’t always assume you’re doing things wrong. If you have a tool to help you exploit something, don’t assume it will work as-is.

Root - Stick to the basics to enumerate the system to find out what is on there.

As some others said, you can go about getting user by just focusing on the first service you see, but the other service you see is a good learning experience to help you get a foothold.

Rooted twice (two different methods).

Is it just me or does the method to find payload only work some of the time? I can’t get it to work reliably, it’s pretty frustrating.

port XXXX is down any body online now…?

I need a bit of help with the time travel, I believe I have the right path and time, but it is not finding my payload…

I really enjoyed this box :slight_smile: seems to be PWK/OSCP like and has a little bit of everything!! Tricky but in a very good way!!!

Thanks a lot @cymtrick

Rooted it, anyone need some nudge can dm me :wink:

Hmm… I get the references to time travel and have been working on that on things that should get uploaded, and a thing you might make in Excel on the other port that gave me credentials.

I have ‘made’ the correct URL as the googleable exploits may not be quite pointing to the right place (confirmed via github) - I have the correct skew or near enough and have changed the script to give a range of a few units of measurement either side to ensure it’s caught, but I can’t find my upload that is legit. let alone the ‘errored’ ones.

Can I get directly to this from the thing you might make in Excel? I couldn’t see anything other than creds… which makes me wonder how people got to it directly from the other site, you presumably need those creds?

I am sure I am missing something painfully obvious.