Hint for HELP

Hey guys, I’m shin and I really need a help regarding to this machine.
My problem is that I can’t access my shell even though I found the the right directory but it kept redirecting me to the index without the connection of my shell, is this supposed to happen?
I’m doing this without the creds

User:
using HxxxDxxxZ application vuln, you can get user access.
For the exploit, the path should be the path to upload folder and not to HxxxDxxxZ’s root folder as mentionned in the exploit
expolit is independ with your TimeZone as it use timestamp (time in seconds since the epoch as a floating point number.)
Root:
very simple

Any hint for second port (the higher one)?

For all those who need help with the high road, I took it.

  1. Figure out what the high port is doing and how it interacts with the server. Google is your friend here. It is partly a diagram showing the relation between variable quantities.

  2. If you did step 1 right you don’t need to guess anything, just login and enumerate. Play with what you can do and google vulns. Get a copy of the source like others have suggested and keep it handy.

  3. Figure it out? B**** -****** is a pain to do by hand. I strongly suggest you script this yourself. If you do it will come in hand later.

  4. Got the creds but can’t figure out what to do with them? Well you haven’t enumerated enough and you have tunnel vision. There isn’t always just one way in. Still can’t find it? Well you can always try it before you buy it.

  5. So you figured it out and logged in. Enumerate. Look at what you can change. This will seem trivial if you know about the quick and easy exploit but do it anyway. It should be obvious what to do now.

  6. Didn’t luck out with finding the dir? Can’t find your file? Look at the source you kept handy from step 1 for clues. Now, you have probably read the quick exploit already and know what happens. Well forget all that traveling to London nonsense! Go back to step 3.

  7. Now root it. Keep it simple like when you were first learning.

Best of luck. PM me if you need help.

Type your comment> @Shin said:

Hey guys, I’m shin and I really need a help regarding to this machine.
My problem is that I can’t access my shell even though I found the the right directory but it kept redirecting me to the index without the connection of my shell, is this supposed to happen?
I’m doing this without the creds

try to run the exploit right after doing the upload, do it fast

Just rooted this machine, but in a not quite “simple” way. From the posts I noticed everyone else did it with some basic knowledge. Did I missed something?

Can anyone PM me the common way to do it?

pretty straightforward box, popped quite easily doing the proper enumeration, although I got a bit frustrated that my initial foothold exploit wasnt working until I read what it was trying to do. Then root first go 5 mins later. Didnt bother with the higher port stuff. Wasn’t necessary.

I tried to upload webshell to web application (I knew the path, bypass check extension), I once uploaded successfully webshell. However, I cann’t upload it again, i changed my computer’s time zone to london. However, it doesn’t work, i can’t file the path of web shell again. Please help me.

Finally I have beated this challenge. My Hints:

  • User Flag is very tricky. You have to read very well the exploit and understand how the file upload works… Without read the previous posts for me was impossible… When you run the exploit you have to set the upload path and not the root path of the app like says the exploit.

  • Root Flag is veeeeeery easy. You don’t need any enumeration. Only with system info is enough. Basic concepts of post explotation…

Someone can pm me about the high port way? I see the service but I don´t understand what can you do with it.

Hey, stuck on this box. Trying both http services exposed but getting nowhere. Any one able to give me a nudge via pm.

Holy ■■■■ I actually got user.
Unexpected, also somewhat annoying because I spent so long trying to evade the filter.

can’t get it to work, did the time. got the right path, still found nothing.
or get a cross site error. pls help.

ok it was a syntax error got in low lv shell

Hello guys! I’ve managed to get user, but I’m struggling getting root. I will be very thankful if anyone is willing to help me!

Finally got root. Yeah that was stupid easy.
If you got user, root should take like 10 minutes, unless your dumb like me. xD
It’s a known exploit, but it helps to have a good interactive shell.

Why is there a time difference between EU-Free and EU-VIP# server time stamps, by about 3 minutes, on the lower port service? I switched from EU-Free to EU-VIP# due to box resets, but now I cannot find my file upload no matter what, but it worked fine on EU-Free (I just kept getting connection timeouts or refused (110)/(111) so I switched boxes). It’s driving me crazy, and no amount of accounting for those 3 minutes seems to matter…

Any tips on upgrading the limited shell to an interactive shell? I have used weevely for the payload but it seems I can’t really run most things in it.

i can find my uploaded file but i cant bypass the fi** not allowed any help

Type your comment> @sazouki said:

i can find my uploaded file but i cant bypass the fi** not allowed any help

Read the source code more closely reagarding how uploads are handled by the app.

rooted
priv esc was piece of cake…
im gonna try to get user thru the higher port

wow so there is two ways to root this box