Friendzone - HackTheBox

Thanks @AnonyBit for helping me with root.

For those stuck on LFI: Do more research what LFI is and what it can do. Start from zero and verify one assumption at a time. In other words: Try harder :lol:

I am back again. I was bussy in the OSCP lab for exam prep. I am working on root but my exploit is not working. I ask my colleque for help but he has the same problem. I can go in details because of spoiler. Can someone send me an PM to discus this?

This box was simply fantastic. It really helped me refresh some lingering enumeration skills and made me think. I missed the answer about 5 different times and without a much needed nudge from @marvin7408 I’d still be stuck.

Very CTF but still and excellent box.

Found the admin page and credentials. Used a different computer that I no longer have access to, and by using burp and changing host, I got a 200 code.
Yet now, on my own laptop, I keep getting 400 codes.
Anyone know the login step that they can help me with? Or if there’s another way to work on the admin login page?

Stuck with LFI for days already, tried probably everything. I guess I know the location where to look for, but nothing seems to work. Would really appreciate if somebody could message me and put me on right direction.

Like others I got stuck with the LFI and thanks to @zweeden got unstuck. My issue was not thinking enough about extensions - not being a p*p coder. As always, learned a lot.

Help wanted for LFI and RCE, PM me to know what I’ve done yet. Thanks for your help.

Got root. Thx to @halligan for the nudge.

Got user and root, thanks to this thread and all who contributed. Curious if there are multiple paths to root?

Gotten a few PMs for hints, so here are a few:

User: Remember the conceit of this box is that the web app is still under construction. Don’t assume something does what it says it’s doing. All the pieces you need for LFI are things you can directly observe working.

Root: Once you find the script at issue, do some research to really understand what an i****t statement does in this particular language.

Could anyone point me to the right path? only found the 4 subdomains and found a page said it is not develop yet. thanks.

I’m stuck on HAHA page… I already try many requests to page d*******d.*hp. Anyone can help me pls?! Since yesterday trying to get user for this machine -.-

Type your comment> @jutice said:

Could anyone point me to the right path? only found the 4 subdomains and found a page said it is not develop yet. thanks.

Try using a different tool to enumerate the subdomains. And be sure you have all the correct domains.

Stuck on Privilege Escalation for a couple days. Someone PM me with a hint , please :heart:
I did find a nohtyp | rev script but stumped on the details…

Solid box, but slightly too CTFish for my taste. Msg me if you need a nudge

can I get a hint for the haha. Losing it over here…

Loved the privesc :slight_smile:

Able to upload a file via sm* and web, like others, not sure where it goes. Trying to manipulate timestamp param and image_id param, no luck. Any kind soul pm me a nudge?

*Edit: Got user, thanks bogglez for the nudge.

Trying to upload this RCE shell. Tried using PUT command for Brazilian dance, on the only RW share. But url, along with parameter doesn’t start RCE via netcat, so this must be incorrect. A hint to find out the correct vector, where to upload RCE would be appreciated.
This box is like a maze. So many rabbit holes and dead ends.

Edit: Got User

Please can someone PM me a hint on how to find the upload location for the LFI. I have figured out the LFI so can view the code in up***d.h file. I just can’t figure out how to include what was uploaded via Brazilian dance. Pulling my hair out!

Edit: Was almost there, someone else eluded to it earlier, there is a nse script that can give you the path. Can PM me for hints