Official dynstr Discussion

I’m really struggling to get the RCE to work. Any nudge would be appreciated!

guys, im happy to help but pls. before you write me, as @malc also mentioned, read the provided homepage!

■■■■ this is one ■■■■ of a box…Foothole took me like 5 straight hours

Spoiler Removed

Uff! Finally rooted!

One of the best boxes I have done so far! Thanks to everyone who has helped me! Also kudos to @jkr

Feel free to PM for help.

Root definitely has me stumped. I see the mechanism but I am not understanding how to exploit… time for more trial and error.

Finally rooted this monster…The best medium box so far…I really recommend this box to anyone who is trying to go from intermediate to advanced…

Foothole:
The directory structure seems a bit unfamiliar… However “dorking” helped me.
When you have a lot of characters to bother at, just change the encoding

User:
You will need a relative of “nslookup” to help you.
just “update add” and tell to who you are and where you from.

Root:
Basic enum…Once you find it, read…read until you understand what it does
There are is more than one way to read files

Hope these will help you…If you get stuck you are always welcome to DM…

Rooted !

Nice machine ! learnt a lot
Thank you @jkr
:smile:

This was a fun box, but I got delayed a couple of times by something annoyingly trivial in the end!

Foothold: As people have said, follow the instructions, then test this in the normal way - I got delayed by a couple of lists which for completely unjustifiable reasons, didn’t have the crucial piece of data in! (It really is that annoyingly blatant)

User: The hint is in the image, but there are unusual restrictions, however this machine offers unusual solutions to these restrictions too - I quickly spotted the means to make this change, but also didn’t account for the process in reverse and again lost a lot of time trying to work out why I still couldn’t get user!

Root: The designed route to root is pretty classic, check the usual things, then look at how you can abuse the obvious one - ALL the info is out there and if you’re stuck, just read the manual, there are a lot of ways to abuse this :slight_smile:

Great stuff jkr

Hey, so I tried finding the docs. I understood the reference, went to -.com, and read their docs on how to change the * records to any ** address (useful for *** Hijacking).

But I don’t know what to do next. How can changing * records help me get a shell? Am I even on the right track?

Type your comment> @CaptainWoof said:

Hey, so I tried finding the docs. I understood the reference, went to -.com, and read their docs on how to change the * records to any ** address (useful for *** Hijacking).

But I don’t know what to do next. How can changing * records help me get a shell? Am I even on the right track?

one of the parameter try fuzzing ?

Finally, I got it yesterday.

Without sounding too cryptic, and at the same time not giving out any big hints, to those who need foothold I say:

Forget complicated stuff. Remember one of the most basic statements people always say about user input, and the reason behind it, what it can help malicious actors do.

This ‘malicious concept’ is what you must use to get foothold.

Be patient.

Spoiler Removed

Spoiler Removed

Hi @thesafenet I figured that out and edited my post. I guess hours of guessing, you forget the “BASIC” of Google searches and miss-read API’s. I got this working and test.no-ip.htb is now updated to my tun0 IPV4. I’ve spent the last 30 mins tryna test for vulns in the API but I can’t see how any of this can lead to a RCE, I feel like I really am missing something here.

hi all, is someone else having this problem. I have foothold on the machine but even though the privileges allow to read files e.g. rwxr-xr-x root:root <somefile> I am not able to cat some of them. this happens especially with “larger” files. Smaller files < a few kB are no problem. if you encountered that issue, do you know the root cause and how to bypass that issue ?

nvm: just make sure you dont use an additional vpn on your host when running htb in a VM…
banging head against the wall

Rooted. Cannot say I liked that box at all

Type your comment

Final challenge (I hope) before root.txt is not having permission to use the ‘touch’ and ‘ln’ commands as ‘bindmgr’ user - as below! Thoughts?

bindmgr@dynstr:/$ touch “.v******”
touch: cannot touch ‘.v******’: Permission denied
bindmgr@dynstr:/$ ln -s //.*** “v******”
ln: failed to create symbolic link ‘v******’: Permission denied

Hm. this one is interesting, i just got RCE on my own.
i gave up reading the c code of the client or looking for hidden api calls.
then just by using burp i found a way to execute commands on the remote side.
i stupidly ran a blind sql intruder payload using the only api call that i could find.
i was not expecting anything but then i got unexpected results with a particular set of characters.
So instead of getting ticked off and quitting, i ticked off a way to run commands on the remote as the id of the web server…
ok so now i need a shell.
this is fun…