Hint for HELP

Just Completed Actually Its Fun-box but its Awesome
Hits For uploading shell : dont care of error file is still persist
hits for User : no hints
Hints for root Google will be good in finding C*E on ker**l

Rooted. I leave here some hints:

USER: I think I followed the intended way: Enumerate the high port until you find what the message says. Authenticated vulnerability to extract some other information. Now you can use that informations to access the machine easily WITHOUT upload anything.

ROOT: EDIT: You don’t have to use any ker**l ex****t. Just enumerate the machine and read files.

I’m really confused on getting user on this one. I know there’s two ways and I’ve tried both…

  1. Unauthenticated. I’ve tried to run the script a million ways and I can’t find my upload. People are saying “travel to London”, but that doesn’t make much sense because the server uses GMT/UTC and so does Time.time() in Python. So the times should match up. UTC time is by default timezone insensitive…so I’m not sure how to change that.

  2. Authenticated. I’ve got the creds and logged in as a user. But the b**** s*** attack to get admin creds isn’t working for me, even though I’ve made a ticket with an attachment. Any help there?

If anyone could help or PM me, it would be much appreciated. Thanks!

got user semi-intended way and rooted with exploit, would like to know how the other port was done, pm me to discuss.

Thank the Lord. I got root! If anyone needs help you can PM me.

General comment: Try to exhaust all options for any box you are working on before attempting any exploits. Dont just go for an MSF exploit. Very few of these boxes are built around MSF attacks and you are really doing yourself a disservice if you rely on MSF for everything. I’ve seen in the comments that tons of people used exploits to get root. Yeah anyone can do that. If you have a zero day you can own any box in the list. But thats not what they are for, they are here so you can challenge yourself. You don’t need an exploit for root on this box.

If anybody have time and will to help with this box,
please write me in PM and I will send all I did and found in last 2 weeks.
Even all reads here and lot of tries, I am missing something for sure.
Thank you in advance.

Had a great time with this box. Getting user took by far the longest and some degree of time travelling :slight_smile:

Can someone give me a prod in the right direction for root, without using a k***** exploit?

Rooted, took me way longer than I would have hoped.

User:
I took the ** port way, I think it is quite easy, just remember to enumerate. I personally did read any of the Github code, just google/exploit-db anything you stumble upon and the you will quickly see what you need to find next.

Root:
Although it’s not difficult it’s very easy to just fall into a rabbit hole and ignore the basics.

If you need any help PM me.

Type your comment> @lackofgravitas said:

Can someone give me a prod in the right direction for root, without using a k***** exploit?

Read files.

I’ve readup on the sourcecode and the timing, I think I am missing something stupid with both of the exploits, would anyone be able to pm and assist with getting this working 100%?

Rooted. now i just feel dumb.

I guess I have it almost there… just cannot seem to exploit the helpdeskz thing. How can i verify the local time of the server to make sure it matches mine?! PM would be nice. Thanks!

Edit: Actually pretty sure I have the time correct… (curl -v should give that information from what I read).

Would the exploit just be as easy as → python exploit.py http://ip/support/ reversh.php
?
I am probably missing something…

finally rooted after so many struggles! Honestly the box is harder than is rated. I went on the obvious way to get root. If u did something different, please DM me and let me know.

Hits:
User…

  1. make sure u read about nmap lies on internet about services are on what ports, sometimes it might lie to you.
  2. To find credentials, figure out what server it is and google “how to ”
  3. Think about time
  4. look at the github page specially to know where your file is going and if is going at all.
  5. exploitdb is your friend, he is here to help! (haha get it?)
  6. think about time
  7. think about time
  8. think about time

Noted: I think there might be a typo in exploitdb when talking about how is the app vulnerable, just keep that in mind

Root…

  1. sOMEtIMES we make mistakes while typing.

I beat my head against the wall for two days. I tried to exploit lower port in a right way, but it didn’t work. The script just didn’t find my uploaded shell. I switched from EU VIP to US VIP and it worked perfectly. Thanks to @EXC3L for help

Type your comment> @chojin said:

I guess I have it almost there… just cannot seem to exploit the helpdeskz thing. How can i verify the local time of the server to make sure it matches mine?! PM would be nice. Thanks!

Edit: Actually pretty sure I have the time correct… (curl -v should give that information from what I read).

Would the exploit just be as easy as → python exploit.py http://ip/support/ reversh.php
?
I am probably missing something…

check the url…the source of the app will help you, Github is your friend :wink:

I am a noob and been avoiding asking for help with…help, but I am stuck. I got the user credentials from n****s, found the source code on GitHub but get a 302 for the next part. Can some one PM me to make sure I am not overthinking things?

Just got user in this box …
Is it an easy box ?
I am new to HTB

Rooted …But would love to know how to get user with g**** …Can anyone help ?