Remote

Type your comment> @dyl88 said:

Type your comment> @Meatex said:

I am in the same boat as xboxfreak54
Confirmed RCE with ping and got it do web requests and download files but any more complicated scripts are no go. Not sure where its storing downloaded files and tried downloading and then executing by running exploit with command to just run but no joy yet.

Im in the same boat as you, it downloaded a file… but god knows where it went… cant seem to get it to run

I am also at this stage.
Any attempt to add a path to the output location, download never starts.
Attempts to execute my file with out, hasn’t made it back to to my meter.

So, I got the user flag but I am not able to get the shell. I am getting error in my payload which I am not able to resolve. Any help will be appreciated

Type your comment> @gsxrjason said:

Type your comment> @dyl88 said:

Type your comment> @Meatex said:

I am in the same boat as xboxfreak54
Confirmed RCE with ping and got it do web requests and download files but any more complicated scripts are no go. Not sure where its storing downloaded files and tried downloading and then executing by running exploit with command to just run but no joy yet.

Im in the same boat as you, it downloaded a file… but god knows where it went… cant seem to get it to run

I am also at this stage.
Any attempt to add a path to the output location, download never starts.
Attempts to execute my file with out, hasn’t made it back to to my meter.

try to execute in memory when you can download file in server. so you don’t need to know where the file is placed. one terminal to received reverse connection another terminal to serving a file to be downloaded.

Anybody please help me I not able to get shell with 4****.py. I have edited the code but still only ping is working and nothing as

okay. so i got meterpreter to work
no exploit to priv escalate. im stuck

Type your comment> @dyl88 said:

okay. so i got meterpreter to work
no exploit to priv escalate. im stuck

Enum more what is installed/running on the box

Rooted !!!

Got to learn one new cool thing about XSLT (Extensible Stylesheet Language Transformations), and made its exploitable. Thanks for the creator of this box :slight_smile:

However, I’ve noticed that there are two approaches to get to root. And I believe I rooted by using another approach which is irrelevant to the box’s name. I’m now finding the way up to root by using the intended approach.

Feel free to PM me if you need any help, happy to help :slight_smile:
Hack The Box

I’m a beginner, found that a****@***.****l, but not able to find any creds…

@phlashko said:

I am dead in the water at the darn CVE. I just cant seem to know what to change in the code to make it work. I got a**** pass and got access to the site, can upload js* manually, but can not make the script work. a nudge would be very helpful.

@th3g3ntleman said:

Can’t seem to run the PoC . After running the py file it just starts and ends without returning the shell, tried changing few things in the PoC but no luck. Pleas help

@spowlay said:

I need some help with the PoC…Anyone please ping me

It isn’t easy for people to help in this way without basically giving you the code to get the flag. The only non-spoiler way is to say “check what isnt working and change it.”

If you dont know what isn’t working then use this as a learning experience to find out how the exploit works and see what you need to change.

At a very high level, and because I dont want to come across like a ■■■■, you need to read the exploit - some parts are clearly marked in need of content (the XXXXs), others you need to read what it is doing and change it to do what you want it to do.

Popping calc is for POCs, not exploitation on HTB.

You need to change the script man to run a reverse shell

This was a nice box, forced me to try some new things and a new way for me to get a reverse shell.

User: There is plenty of tips here for this. Basic enumeration combined with what type of box this is. When using publicly available scripts please take the time to understand them.

Root: Got unintended way first as I thought what is the actual way was a rabbit hole but is actually the correct way. The name of the box does very much hint at how to get root access.

Anyone needs a tip PM me.

I’m trying L** attack am I on the right track ?

Type your comment> @alesawe said:

I’m trying L** attack am I on the right track ?

Try a different approach. Think of the name of the machine.

@alesawe said:

I’m trying L** attack am I on the right track ?

I dont think so but I cant work out what L**. For me, the initial foothold should be via N** then log in to the CMS and exploit that.

Type your comment> @Flenx said:

I’m a beginner, found that a****@***.****l, but not able to find any creds…

the creds is side by side from what you found

Woah this machine is unstable. Can’t m***t that folder for a day now. Connection refused etc…

hmm, after getting in with the a**** creds can someone tell me is getting a reverse shell tricky or am I just over thinking it? (cant see where to include code etc)

@bagels said:
hmm, after getting in with the a**** creds can someone tell me is getting a reverse shell tricky or am I just over thinking it? (cant see where to include code etc)

I’m in the same spot. If anyone is willing, please DM me an assist.

done!

user:

  • it’s simple if you are able see the right port: information is Not For Sale
  • there’s a ready-to-use script, simply read carefull before to run it: two steps two kisses

root method 1:

  • enum enum enum with standard method: you are able to play? Let’s impersonate a music teacher

root method 2:

  • enum for a tool used by billion of peoples, and check for setting stored in a core file, then google to get the right way. There’s a very simple way not common.

foxlox

Same m**** doesn’t work