Hint for HELP

finally rooted after so many struggles! Honestly the box is harder than is rated. I went on the obvious way to get root. If u did something different, please DM me and let me know.

Hits:
User…

  1. make sure u read about nmap lies on internet about services are on what ports, sometimes it might lie to you.
  2. To find credentials, figure out what server it is and google “how to ”
  3. Think about time
  4. look at the github page specially to know where your file is going and if is going at all.
  5. exploitdb is your friend, he is here to help! (haha get it?)
  6. think about time
  7. think about time
  8. think about time

Noted: I think there might be a typo in exploitdb when talking about how is the app vulnerable, just keep that in mind

Root…

  1. sOMEtIMES we make mistakes while typing.

I beat my head against the wall for two days. I tried to exploit lower port in a right way, but it didn’t work. The script just didn’t find my uploaded shell. I switched from EU VIP to US VIP and it worked perfectly. Thanks to @EXC3L for help

Type your comment> @chojin said:

I guess I have it almost there… just cannot seem to exploit the helpdeskz thing. How can i verify the local time of the server to make sure it matches mine?! PM would be nice. Thanks!

Edit: Actually pretty sure I have the time correct… (curl -v should give that information from what I read).

Would the exploit just be as easy as → python exploit.py http://ip/support/ reversh.php
?
I am probably missing something…

check the url…the source of the app will help you, Github is your friend :wink:

I am a noob and been avoiding asking for help with…help, but I am stuck. I got the user credentials from n****s, found the source code on GitHub but get a 302 for the next part. Can some one PM me to make sure I am not overthinking things?

Just got user in this box …
Is it an easy box ?
I am new to HTB

Rooted …But would love to know how to get user with g**** …Can anyone help ?

Type your comment> @sillydaddy said:

Just got user in this box …
Is it an easy box ?
I am new to HTB

k got it :slight_smile:

got the user, stuck on root. I read the files and found the thing. But now what do I do with it?! can’t sudo or su in the reverse shell…

Rooted! Thank you @Echo99 for the help!

Rooted loved the box. Did the gr***l (user and password) way if anybody wants help or discuss how I did it, feel free to PM.
Shout out to people who helped me thanks guys <3

Did the gr***l way (username and password) if anybody wants hint or wants to discuss, feel free to pm me.

Type your comment> @Echo99 said:

Stuck on user, trying HelpDesk Way. I’m attempting to find the php shell uploaded, i’m also pretty sure that the directory in which the file will be uploaded is /st/u*/t*****s/. I’ve also red the github repo trying to figure out how files are managed, Nevertheless can’t even display on the website a previous uploaded jpg file. Any hint will be appreciated.

-Edit, Finally found the way to found uploaded files, searching now a way to RCE php. It always showing the jpg image even if code is embedded in exif

-Edit, Got user even if with some difficulties. Also got root in a very straightforward way.

Hint for user (low port):
To understand where your file will be uploaded read docs and search for
a specific hd exploit

Hint for root: Enumeration and Search are the two main words

After 2 days of user, I finally timed out and got user. Root followed shortly. Thanks to @Echo99 for a nudge.

I have been trying to get the user flag for days using the unauthenticated s**** upload. After reading through this thread and actually reading the code for the exploit I believe my clock needs to be adjusted although I don’t what to adjust it to. Anyone that has figured out how to figure out the adjustment for time please PM me so I can stop banging my head on this machine.

your clock doesn’t need to be adjusted, as several people have pointed out.

Just got root. Wow, that took a lot longer than it should have done, but at least I learnt a lot about shells.

The root isn’t quite as easy as it first appears. Think about what’s actually gone wrong.

Got root!! Thanks to @smaxxx @EXC3L I was getting invalid argument error when executing exploit, but it worked after couple of resets.

Stuck on user, so I got the credentials from the high port and logged into the lower port but I’m lost on what to do next. PM me I need help :frowning:

Got the credentials, cannot connect low port with them, any suggestions?

Got root the unintended way, This was a good box.

Pm for Hints if needed :smiley: