onetwoseven

@badwolf said:
Type your comment> @avetamine said:

You need to create the tunnel but not necessarily keeping the connection open, there is a specific parameter for that :wink:

What? That makes sense, however I couldn’t find such parameter in man ssh. I have to look more carefully

Its a paremeter that is you commonly used along with port forwarding where command execution is not required, thats all i can say from here. :wink:

Oh, right. I get it now. I know what parameter you refer to. Thanks

I am doing this box and would need some hints on the initial foothold. I have some info but I dont know how to proceed

Im an utter noob, been spending 5+ hours trying to get user.

anyone be so kind to PM me just to point me in the right direction?
I dont want straight answers, just directions :slight_smile:
I can also explain what I have done (tried rather) and anyone can correct me or assert my progress in the right directions.

Thanks!!

Type your comment> @gregX01 said:

I am doing this box and would need some hints on the initial foothold. I have some info but I dont know how to proceed

  1. one POST params could be exploitable for OS commands
  2. By using 1st hint, you could download two .pem files
  3. combine them to generate .pfx file (Convert a PEM Certificate to PFX format)
  4. use hint3, to be able to access web application on higher port
  5. on higher port, you will get access to ssh later nfs

I am at the high port panel with no creds. I cannot figure out what to use within S**P. Can anyone throw me a bone? Or a PM?

done.

Thanks @billycontras, @Chrix87, @m4xp0wer and @Wingadium for all the tips and help for me to get root. Box was really hard. To anyone who needs help, feel free to pm me :slight_smile: good luck have fun

Type your comment> @azasdf74M said:

Type your comment> @gregX01 said:

I am doing this box and would need some hints on the initial foothold. I have some info but I dont know how to proceed

  1. one POST params could be exploitable for OS commands
  2. By using 1st hint, you could download two .pem files
  3. combine them to generate .pfx file (Convert a PEM Certificate to PFX format)
  4. use hint3, to be able to access web application on higher port
  5. on higher port, you will get access to ssh later nfs

I think you are in the wrong thread. Those hints are usefull for another active box. i whish the best of fortunes to you!

Cheers!

Good box, but it’s definitely been frustrating… gone through quite a lot but not able to upload the plugin :confused: Would like to get some tips on how to bypass the disabled addons upload (Does it have something to do with the strpos R******_U** and the preg_match check?)

What a fun box! Finally rooted. PM me for Hints.

Figured it out, time for shell> @D4nch3n said:

Good box, but it’s definitely been frustrating… gone through quite a lot but not able to upload the plugin :confused: Would like to get some tips on how to bypass the disabled addons upload (Does it have something to do with the strpos R******_U** and the preg_match check?)

Stranded at the end of the tunnel, with a login screen to the admin panel.

So far so good, also found a couple other interesting files and directories. So, can you find some credentials somewhere for that panel?

Or should I try to work without any credentials. Might be possible, but I don’t quite know how, especially since I can’t look at the important files in that directory… Any help would be appreciated.

Or do I even need to run Hydra against the admin panel which might be tricky, due to the tunnel…

Cheers,
WTW

Type your comment> @walksthewires said:

Stranded at the end of the tunnel, with a login screen to the admin panel.

So far so good, also found a couple other interesting files and directories. So, can you find some credentials somewhere for that panel?

Or should I try to work without any credentials. Might be possible, but I don’t quite know how, especially since I can’t look at the important files in that directory… Any help would be appreciated.

Or do I even need to run Hydra against the admin panel which might be tricky, due to the tunnel…

Cheers,
WTW

Credentials are in file stored on the tatget box

Hey all

I’m having real trouble with the upload part of the box, been trying for a week. I’ve been trying to use the oma**** plugin to upload my file and all i get is “200 ok”.

I think It might be something to do with the p***_m**** part of the code, but If it is I don’t know how to do it.

I’ve been using the default upload options from the menu page just modifying the ‘action’ and disabled bit.

Any help would be greatly appreciated.

Thank you.

Can someone please PM me about the upload part? Getting “Not found” on the uploader.

Edit: Nevermind. Trying for root now.

Type your comment> @Rang3r said:

Hey all

I’m having real trouble with the upload part of the box, been trying for a week. I’ve been trying to use the oma**** plugin to upload my file and all i get is “200 ok”.

I think It might be something to do with the p***_m**** part of the code, but If it is I don’t know how to do it.

I’ve been using the default upload options from the menu page just modifying the ‘action’ and disabled bit.

Any help would be greatly appreciated.

Thank you.

Take a look at the REQUEST_URI.
Take a look at how the URI looks like when do you do a GET request, when you download one of the files.
Its easy once you figure it out i’ve struggled also for some days reading and expeirmenting and eventually i asked for some hints and it was obvious, well not so much.

What a beautiful machine 10/10. Congrats @jkr :slight_smile:

Tips in this post are enough to solve it:

USER

Pay attention to IPs used when trying to reach the high port, I failed one in my s** command and a 403 error was continuously showed.
After that you can get user.txt don’t need a valid shell.

ROOT
This is not a one command machine to get root.txt. You have to understand well how some basic unix command works and how to take advantage of it, Google is your friend with a nice article but you need some modifications.

Wow. This box put me through some major challenges. As others have said, a lot of what needs to be done is not a simple case of one or two commands and you’re in, you do have to do a lot of prep before getting anywhere in this box.
Hat’s off to @jkr for a challenging box.
Special thanks to @ZerkerEOD for his massive help in getting both user and root, and also to @raiden99 for giving me some much needed pointers during my chaotic run for root.

OK, here come the hints.

Initial Foothold

  • One type of file can be viewed as another type.
  • Zelda’s hero can help you see things that are out of reach.

User

  • Was that user there all the time?
  • How did I get access in the first place?
  • How did that process work?
  • Would it work for others?

Root (Deep breath)

  • I hope there is some light at the end of the …
  • Browser might need a little tweak.
  • Now, how do all these scripts work? Step by step!
  • It’s oddly satisfying when you have to take things apart and build things from scratch.

I am happy to help people out, but considering that after I offered help with LaCasaDePapel, I received over 300 messages in less than two weeks. I will still help people who need it, but a couple of conditions:
1 Use the forum to send me a private message or find me on Discord (Don’t write on my wall or use the private message function on the HTB site as I don’t get notified).
2 I try to respond as soon as I receive messages, but I may leave it until the end of the day and do them in bulk, so be patient.
3 Tell me your current status: where you currently are, what you have done, what you have tried, what you would like to confirm. I want to avoid spoilers as much as possible.

Good luck to those still working at it!

hi all, can i PM someone to chat about initial foothold?