Hint for HELP

Im needing assistence with this Box please.
I know ive got the right path and the correct exploit.
Can someone please dm me , i cant run the exploit in the intendend way.
Any help would be great :slight_smile:

Got the user RCE working really well now, been stuck up on root for a little while though. Trying to avoid using k****l exploit.

Hello,
Can some one help me with root !! Please :anguished:

I am stuck for a week. can someone give me “hint” how to upload r****** s****. I always got “CSRF” message

could I get some help on getting a shell? I have looked at the GitHub code for the webbap … I have the exploit but just cant get a call back … im sure it somthing stupid that Im missing

Type your comment> @herapen09 said:

I am stuck for a week. can someone give me “hint” how to upload r****** s****. I always got “CSRF” message

I’m lost…need HELP

Hello everyone, just rooted this box but not without the help of this great community. If anyone needs help you can PM me. Hints hopefully without spoiling, for the script to run you need to find 3 parameters and time travel is both back and forward in time. for root linenum and searchsploit your way to root.

I am able to find my file if it’s a jpg or txt. But I can’t get around the file type filter. Tried using Burp but that captcha is screwing things up. I feel so close. Any help would be great.

Type your comment> @FlompyDoo said:

I am able to find my file if it’s a jpg or txt. But I can’t get around the file type filter. Tried using Burp but that captcha is screwing things up. I feel so close. Any help would be great.

Don’t believe everything u read :wink:

PM me if you want hints on 3k port - Also I need help on using the user account and the scripts, they (and my other enum) are not returning as expected.

I am trying to get user using the authenticated exploit (S** I********) having the creds, but it does not seem to give me the expected results. Did anyone tried it recently and had a good result with it?

Spent hours on this box, and I can’t even get the credentials through the high port. Please PM with any help

EDIT: Finally managed to get user and root. Thanks to @JGruloos @ghost0437 and @CyprusDonkey for the help.

Only managed to get through the unauth way. Would appreciate a PM on the credentials part though. At least just how to the endpoint on the XXXX port

EDIT: Got user and root.

Some tips:

User

  • Check the source code on Github so you know where to look for that file you uploaded.
  • If your first shell doesn’t work, try another.
  • You don’t need to modify that exploit - Python and PHP both use UTC, so no “time travel” is necessary.

Root

  • Basic enumeration will get you some things to research. Root isn’t far off.

Very tricky box. Rooted

Spoiler Removed

Type your comment> @jrichasec said:

Got user.txt, for root… is the folder with web****.con**.js worth investigating any further? (I feel like i’ve saturated this)

EDIT:

rooted.

This privesc was a slap in the face after playing around for hours - don’t forget the basics.

Does privesc has something with the express apllication?

I don’t know why sometimes I can find my upload file (txt file) with the exploit but sometimes I can’t find it. I am not sure how to bypass the filetype check. Can someone PM me for some hints on user?

Rooted thanks to encouragement from @CyprusDonkey .

Biggest thing that tripped me was my shell. As several other people have mentioned, do not be afraid to try several different types.

Honestly, this was an absolutely incredible learning experience though. Big thank you to the box creator.

Annnnd finally! rooted.
Thanks to those that gave me tips on parts I didn’t have. Good learning about many things on this one. Interested to know how people rooted the box and if I did it the same way as others. Also interested if anyone had success with the Auth’d expDB code option or if people went with the unauthed.
I like others have commented, didn’t see the high port used, but did find its details two different ways.

Hi everyone, I get the creds by the high port but i can’t execute the uploaded file, this always return 404. I have mount on local site and i checked the upload file use by app but i can’t reply this and exploit on this machine. Please anyone can help me with this

Rooted, thank you all for the help