Hint for HELP

@blueorchid said:
Hello, I’m stuck at the high-level port. I found the endpoint but just cannot get my query right. Some help would be greatly appreciated.

Any hint for the endpoint?

any hint @takeiteasy ???

Hello guys, can someone help me please on this machine … i’m stuck … thanks in advance :slight_smile: <3

@m4rc1n said:
Now Im really confused. I used the REST alternative to get user and its hash (with one of the previous posts its easy). I cracked the hash and have also password. tried to log in via the lowest port and cannot. What am I missing?

likely someone has changed the password, there are a to of trolls on this box

Not sure if something changed on this box, I was previously able to “submit a ticket” using a bypass and “find my ticket” afterwards. But now I can’t find my uploads, even if I upload jpg/txt/etc. Did something change on the box?

Rooted. I agree that user was much more of a challenge than root, but definitely an interesting box to play with.
So, for my hints.

User: There maybe more than one application running. Headers are helpful. Make sure to CoVEr the services found, and let this baby hit 88 mph.

Root: Everyone keeps using the same phrases, like “basic,” easy, “don’t overthink,” and so on. For those struggling with what they mean, google any beginner’s guide to priv esc, and it is usually one of the first bits of information you can get and find exploits for.

PM me if you need further hints.

Another tip: This box gets reset often which may not show up as an error in the middle of a script run. I had this happen and missed an entry earlier because I didn’t notice the reset.

Also - you don’t need SQLMap.

Hint #3: The error messages from the webapp will LIE to you.

Finally rooted! Thanks @Spiderixius for your hints and @cymtrick for the box. User was frustrating…

@isuckathacking said:
Another tip: This box gets reset often which may not show up as an error in the middle of a script run. I had this happen and missed an entry earlier because I didn’t notice the reset.

Also - you don’t need SQLMap.

Hint #3: The error messages from the webapp will LIE to you.

By error messages you meant “**** not allowed” ?

@cymtrick said:

@dev0id said:
@MrR3boot so simple fuzzing for the parameter name and value is not enough? is the etag important?
This might help
a collection of points whose coordinates satisfy a given relation.

Lol now I understand xD

Is machine’s timezone important? Also i can’t even find jpg files when i upload. Helps will be appreciated.

Sorry if spoiler but apparently people have been using this video as a hint: Leon Shows Larry How to Deal w/ Bullies | Curb Your Enthusiasm (2017) | HBO - YouTube

I mean wtf is going on with this machine. Constant resets, people changing the password. Have some ■■■■■■■■ class or integrity.

It seems that people are changing settings on this box after they get in. Things that worked up to a point yesterday don’t work today. For instance P*P shells would upload yesterday and today they are not allowed.

Ugh. I can’t seem to execute malicious code in the ticketing system…

Hi Everyone. I like this box. Congrat to creator. Some guidance for anyone now doing it.
Do your enumeration
think logically google exploit for app
read exploit! what is it talking about, what file? get the file from github, what else can you learn?
I did not even need to modify exploit in order to work, I’m in UK (wonder why that’s important??? ;))
for root go back to basics as mentioned before!

Got a password. Need a username. Tried any possible, logical combo. Can’t login. Any idea on possible usernames?
Edit: found it. Just use what you got.

Found creds. Im getting bunk results on a SQLi once authenticated. Pulling my hair out. can anyone pm me some nudges?

Im apparently dumbfounded by the upload bypass too. Github code looks easily by passable but im failing miserably.

Someone pm me and ill + rep you

@ChiefCoolArrow said:
Found creds. Im getting bunk results on a SQLi once authenticated. Pulling my hair out. can anyone pm me some nudges?

Im apparently dumbfounded by the upload bypass too. Github code looks easily by passable but im failing miserably.

Someone pm me and ill + rep you

At one point yesterday it was straightforward for uploading shells and today it doesn’t work. I don’t know what happened.

i just found three ports ,webapp dir , and i know the script, i tried upload shell.php.jpg, it doesn’t work(i did found the correct url by script) i don’t know how to use, i didn’t found sqli. Anyone PM me, hit me plz…

Finally got root on the box. It was honestly a fun box. I learned a lot. There are a couple of trivial parts you need to tackle for the initial foothold (USER).

USER: There are two different ways. I went with the unauthenticated way. I also got the user creds for the authenticated way but didn’t try it yet. As I mentioned before, you need to solve the trivial parts in order to get a successful RCE. :slight_smile:

ROOT: As mentioned by many people, stick to the basics. Most famous ones are not always your friend :-]

For the USER part I got some help from Forum, please PM me if you need some help.

Enjoy!