@lucaswebb24 said:
Are you talking about admin@*.? Because I can download it… And I am that user on the website
Thats the one. If you attack on upload, then download, the output of the attack should be there.
hmmm ok. I’ll stick to that for now, probably will be back here soon, thanks!
after a while, finally got root.
Getting admin was the hardest part, needs some out of the box thinking
Very nice box, definitely learned something 
I’d like to know how did you understand what is needed to be done to get the admin (without previous knowledge of the vulnerability)?
Hints -
User: There are 2 parts for the user, firstly you need to get an admin access to the web. There are many hints here on what you should check. Then, you’ll need to perform some functionally (that only the admin can) which deals with some user input 
Root: I can’t say that this part is straightforward but the usual enumeration and usage of some spying tools will reveal the path.
I have no idea how to get to the admin panel… I can register users and have read the relevant blog posts to how you’re supposed to exploit this. But i don’t get how i am supposed to do it.
@professorbs said:
I have no idea how to get to the admin panel… I can register users and have read the relevant blog posts to how you’re supposed to exploit this. But i don’t get how i am supposed to do it.
There are things to try if you know some details about the admin user, you can try to create a new user with their details.
Then if there is a problem you can find a way to get round that problem.
Have a look at the source code. Think what might happen if you sent data which ignored the restrictions set up by the site admins.
Then think how you can trick a backend into thinking two things are the same, even when they are different.
Type your comment> @sparkla said:
Type your comment> @professorbs said:
I have no idea how to get to the admin panel… I can register users and have read the relevant blog posts to how you’re supposed to exploit this. But i don’t get how i am supposed to do it.
Same issue. One day of trial and error, no avail. I made a list of things to try and crossed off one by one. Also wrote down in pseudocode what’s probably on the other end but fail to see the issue. Maybe cause I usually work with PDOs and sequelized stuff, I don’t know. Happy for a small hint.
Try fuzzing / QA the registration, you should see some interesting behavior. Once you find it, think what you could do with it to get an Admin access. It has pretty good documentation if you know what to search for.
@sparkla said:
Type your comment> @TazWake said:
Have a look at the source code. Think what might happen if you sent data which ignored the restrictions set up by the site admins.
Then think how you can trick a backend into thinking two things are the same, even when they are different.
Currently signed in as 0xbf5c or 1=1;--
I thoroughly tested one by one what happens if I change the email input to text and exceed the limit. The strings get cut off, nothing else that I could notice. What am I overlooking here?
Ask yourself how stings get cut off and if / how you can bypass this.
Then look at what might happen if you bypass this length. Can you use this to change what the backend thinks is happening?
Also tried all sorts of php, variable names, quotes, header params etc. as name, email, password - it’s escaped pretty well, maybe even whitelisted (thats what I do usually).
Or is it what @boris154 said and I shouldn’t have listenend to the creator, that I won’t need fancy tools, just my brain?
Burp helps.
@sparkla said:
Thanks mate, yet I’m still clueless. There’s like 10 different substring PHP functions / methods off my head, probably more if I search. I can’t figure a way to “bypass” any of these, how to do that? My code would be like …[well cant write it down cause HTB-WAF catches me each time]…
Dont focus on the PHP. There are other things in play. Think of a way you can convince the backend to truncate what it has so it thinks two things which are different, are the same.
I thought about that there my be a way to evade the “user exists” check but didn’t manage to do that.
You will but you might be overlooking one thing.
I tried Burp in the beginning but don’t use it much anymore, Firefox can do most in DevTools, more comfy.
As long as you can manipulate the post request you are good.
Drop me a PM if this isn’t helpful.
Managed to get the admin account.
Any hint on the pdf collection?
The box was really fun and tough PM me for help
Type your comment> @Khecari said:
Managed to get the admin account.
Any hint on the pdf collection?
Think about what you can see in the at pdf based on what you did as a low priv user.
@sparkla said:
Reset the box, still not working - either some dude is hammering the register with a script to secure his own access or something broke… Does it still work for you guys?
Bear in mind, everyone who attacks the box will (eventually) change the password so your password won’t work.
If you’ve left it for any period of time, or the box has reset, you need to re-exploit the first bit again.
Server are too slow
can i ask something regarding to root? im waiting lets say for ever, for the l… r…e to get shell , its normal??
Ok, so now i’m at the point where i found a pub and private key, but they say they’re the wrong format?? i think the pub is too short, trying different editors to see the whole key…
Found the full public key, still wont work…
Type your comment> @lucaswebb24 said:
Found the full public key, still wont work…
the pub key of course don’t work…
I could need some help for root. I don’t notice anything unusual, what should I be looking for?