Book

A little nudge on the foothold.
Sometimes, after a limit, it doesn’t matter what characters are.

XSS is never the way to go.

So, the reason I talk about my what I’ve learned in the open is because I think it’s a complete dead end and I followed it to its end, I think.

I’ve spent so many hours on xss. I’ve learned about punycode, so that’s fun.

I’ve had a lot of fun in trying to get this go through the character limit, but it didn’t work out. It does resolve to an IP though.

script src=//⑩⑩⑩⑩

I left < > out, because I don’t want to accidentally trigger anything.

Edit: seems that I already did, when I did copy/paste the tag in, lol.

The browser resolves the emoji with an algorithm called Bootstring [1].
It becomes in this case: 10101010
which resolves to its hex form: 9A 21 12
which resolves to hex in base 10 form, aka an IP: 0.154.33.18


I’ve learned that //0xffff (etc.) also resolves to an IP on FF, Chrome, IE, Edge and Safari (Safari doesn’t do Punycode though, Chrome and FF do).

I opened up Firefox its source, but I couldn’t find where this type of resolution takes place. If someone has the insight to look it up quickly, I’d appreciate it a lot! [2] :smiley:

[1] https://www.ietf.org/rfc/rfc3492.txt

[2] GitHub - mozilla/gecko-dev: Read-only Git mirror of the Mercurial gecko repositories at https://hg.mozilla.org. How to contribute: https://firefox-source-docs.mozilla.org/contributing/contribution_quickref.html

@zaBogdan ? do you mean the upload capability is a rabbit hole?

@z3r0c001 If you don’t have the right permissions yes.

Rooted, great box, learned some new things that I haven’t seen before.

Rooted

PM for nuggets

Hack The Box

why is it that sometimes I can log in to the site within my new privileged user, but then I get a ‘Nope!’ when trying to log in to the admin console on the same session?

This box is turning into a big charlie foxtrot with everyone hammering away at it now. The chance that the file I need is in tact by the time I get to it is slim to none, even when automating the entire exploit chain in python.

So, I managed to login to the admin panel. But wondering how to proceed from there. Anyone willing to give me nudge in the right direction?

Is there some mechanism going on that is preventing my uploaded files from showing up when I search for them by exact Title or Author?

Starting this box tn… the comments r scaring me

Whoever is currently DoS’ing the box with Burp’s Active Scanner on the free EU server, can you please stop it? It will get you nowhere and makes the box unusable for others.

is anyone able to reliably exploit the path to User? I just want to make sure its not something on my end, because I tested my payload and thought it was correct, but it could have been the results of someone else’s payload for all I know…

Rooted.

User part is not well designed imho. The actions of other users can modify the behaviour of the application leading to unintentional rabbit holes. I lost hours yesterday because of getting a reply of the application that I should have never received. That really increases the difficulty for the ppl at free server.

Root is more adjusted to the initial difficulty, I did it in about 45min after getting user. I wonder how xtc took 3h from user to root, he probably went for a nap or something.

Rooted! Very fun and educational box !
For those who have problems with a disconnecting shell, pm me

I learned a lot! I like the box more now that I know how to do it, but man what an initial foothold. PM ONLY in discord for nudges. Thanks!

I could use a nudge. I’ve been spending about 18 hours so far and haven’t gotten a foothold yet.

anyone who has gotten user (not just the admin panel) and can help me out, please PM me. I am confident that my payload is correct, but for some reason I can not get the intended object to load where I need it.

@alez said:
Rooted.
User part is not well designed imho. The actions of other users can modify the behaviour of the application leading to unintentional rabbit holes. I lost hours yesterday because of getting a reply of the application that I should have never received. That really increases the difficulty for the ppl at free server.

Root is more adjusted to the initial difficulty, I did it in about 45min after getting user. I wonder how xtc took 3h from user to root, he probably went for a nap or something.

Well instead assuming something works, look at it in practical. Let’s say if box configured to reply to ur payloads then definitely it has to be in timely manner. If not then its not configured for that. Simple.

What you said on root part is absolutely correct. Good work :wink:

@godylocks said:
I learned a lot! I like the box more now that I know how to do it, but man what an initial foothold. PM me for nudges.

Glad you had fun reading this book :wink: