Hint for HELP

12324252628

Comments

  • edited May 2019

    Finally got root on this. As a newbie, user was easier than root for me b/c the service to exploit seemed pretty clear. For root, however, I was kind of directionless and expected it to be harder than it was, and ended up overlooking something basic... Once I realized it, the exploit was easy and took like 15 minutes.

    Edit: for User, I saw lots of people recommending to look at the source code, but I didn't find that helpful (I don't know the language tbf). I think the easier path using a proxy like Burpsuite to monitor requests.

    Hack The Box

  • Wrong timezone was the cause of my frustration. After resolving that, everything else was basic.
    TIP.
    User ==> Sort out time zone.
    Root ==> Do NOT overthink it. Should be one of the 1st things you check when getting any shell.
    Challenge can be completed by using Kali's Searchploit.

    PS. My 1st comment. Hopefully no spoliers

  • Finally rooted the machine. It was quite easy after I realised most important thing is in source code. No, I am not talking of any credentials 😀

    Feel free to ping me for hints.
  • hello everyone!

    i could use a push in the right direction with this box... i'm not exactly sure how to go about it... i have an idea tho and i dont wanna put out a spoiler... so could someone who wants to help a newb pm me plz? thanks...
    HTB is a good group! thanks again!

  • Type your comment> @FlewManChew said:
    > hello everyone!
    >
    > i could use a push in the right direction with this box... i'm not exactly sure how to go about it... i have an idea tho and i dont wanna put out a spoiler... so could someone who wants to help a newb pm me plz? thanks...
    > HTB is a good group! thanks again!

    Did you tried directory brute forcing. Why don't you look at dirsearch. It's an amazing tool.

    Pm me if you are still stuck.
  • thanks for the help guys!
    now if anyone wants to help with poppin root action .. much appreciated... i've tried a bunch... seems like i'm going in circles

  • Type your comment> @FlewManChew said:

    thanks for the help guys!
    now if anyone wants to help with poppin root action .. much appreciated... i've tried a bunch... seems like i'm going in circles

    im not being rude but it seems that you want others to hack your boxes using your fingers ? its the most basic enumeration ever, if you cant figure this one out .. question mark

  • Guys I changed the github code accordingly, even bypassed the file upload thing, yet not finding the file in the server. Can someone please pm for a hint please?
  • edited May 2019

    Hi everyone. I got user yesterday, but didn't get root before I had to move onto other things. Now... using the exact commands and files I used yesterday, I can't get user again. Any ideas? It just keeps coming back as not finding anything.

    EDIT: Never mind, I altered the py script to give more tries before giving up and I got the shell again. Root!

  • Type your comment> @meowzilla said:

    @mystory20 said:
    I am lost in the file extension bypassing
    any hint for that?
    I have tried with different extension and modifying the content type
    but none of them work

    Apart from the unauthenticated way,
    I have no idea on constructing the n**.s query

    Thanks in advance

    same here. i can find my jpeg file with exploit script but stuck on bypassing the file extension filter ... hints will be appreciated.

    Thanks.

    Check the source code and exploit it will definitely help u

  • Type your comment> @latestlurker said:

    spent hours working on the file extension bypass, including reading source code, any nudges would be appreciated as i'm going insane

    U can check the exploit for the help

  • Type your comment> @Grepthis said:

    Ahhh... wow I made this much harder than it should have been.. pm me if you are stuck.

    Hints:
    User: i went unauthenticated.. just make sure you read the usage and sample usage of things..

    Root: Really don't assume things.. don't think wow that's recent there's no way...

    i went same way but not able to capture flag but got the shell

  • Please someone PM me "File upload is not allwoed"??? isn't that supposed to be the way or did i miss something here?

  • edited June 2019

    does anyone know what this message means ?
    WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

    this is the message i get while i link to the shell i've uploaded... and it's not connecting back to my listener...

    can anyone help please?

    edit: oops... i'm an idiot... firewall. duh.
    thanks for helping a newb like me guys... much appreciated!
    if anyone needs a push in the right direction i'll be willing to help! just pm

  • edited June 2019

    Type your comment> @xyzxyz said:

    Please someone PM me "File upload is not allwoed"??? isn't that supposed to be the way or did i miss something here?

    Are you sure system tells you the truth?

  • Hi all,

    This is my second machine, just after advise on how I should start this machine off. Just an application name I should look into, just so I can enhance my learning. PM me please.

    HF

  • This is the first machine that I do in HTB. I was a lot confused with this machine. But It was very funny.

  • finally rooted, I agree that the User part was waaay harder and misleading...... deff check the source-code of the app from GitHub

    root was EZ

  • Rooted!
    Pretty straight forward, im still confused if i really needed the cred from g**** api

  • rooted. Might someone get in touch with me to discuss the higher port method?
  • Rooted!

    Thanks to @jacknife for the hint on Root, and to @ecro80 for the hint on the code.

    Happy to assist too.

  • check port 3000 then find ticket using support center header name. be sure your gmt time.

  • i've tried everything google and searchsploit has to offer with this file extension filter, any hints would be much appreciated

  • Type your comment> @Reiahx01 said:

    i've tried everything google and searchsploit has to offer with this file extension filter, any hints would be much appreciated

    check the sourcecode of the file upload of helpdeskz on their github repo and try to understand what exactly happens on uploading a file ;)

  • Type your comment> @Enyone said:

    Type your comment> @Reiahx01 said:

    i've tried everything google and searchsploit has to offer with this file extension filter, any hints would be much appreciated

    check the sourcecode of the file upload of helpdeskz on their github repo and try to understand what exactly happens on uploading a file ;)

    from what i see it only appends the very last file extension, so double extension doesn't work. tried inserting null byte and still nothing. i'll keep looking but for whatever reason i'm not seeing it yet

  • I have tried all the possible steps:
    submit ticket :-
    step 1 file supported
    1: change time zone to L0
    2: upload s*e
    with extention (no luck)/ call it back after changing the 'x' range

    step 2 er: file not supported (no luck)
    yes I have changed php -reverse -shell already using (/usr/share/webshell/php/reverse*)

    in exploit not sure what code should I use ?
    currentTime= (??????)
    Thanks

  • Whenever I upload the exploit and compile it, I get an invalid argument error. I can run it fine from my webshell, but it does not work from the actual pty shell.

  • rooted!!!! finally!!!

  • need hint to proceed with .*s or shell upload, or port 80

  • Manage to get root without obtaining credentials via the Shiv query, if anyone could enlighten me via PM what the query is I would be grateful as I am intrigued.

    Anyone seeking nudges feel free to PM me.

    LordImhotep
Sign In to comment.