Book

i feel like P*****J isn’t really stable. sending the same payload that did things before dosen’t do things anymore :T

EDIT:
aaaand rooted. awesome box, had a lot of fun (except for the part where i got weird behaviour because of other people and tried replicating it unsuccessfully for 3 hours :,) )

Knowing MrR3boot inspiration, we’ll need a lot of lectures to own this box… Hope i’ll read fast enough ?

got some requests back but pointless prob :confused:

Got inside privileged. Looking more to get a reverse shell…
Very educative so far

Owned user !
Next up to root

Type your comment> @bertalting said:

Owned user !
Next up to root

If you would give us any hint for user :smiley:

A little nudge on the foothold.
Sometimes, after a limit, it doesn’t matter what characters are.

XSS is never the way to go.

So, the reason I talk about my what I’ve learned in the open is because I think it’s a complete dead end and I followed it to its end, I think.

I’ve spent so many hours on xss. I’ve learned about punycode, so that’s fun.

I’ve had a lot of fun in trying to get this go through the character limit, but it didn’t work out. It does resolve to an IP though.

script src=//⑩⑩⑩⑩

I left < > out, because I don’t want to accidentally trigger anything.

Edit: seems that I already did, when I did copy/paste the tag in, lol.

The browser resolves the emoji with an algorithm called Bootstring [1].
It becomes in this case: 10101010
which resolves to its hex form: 9A 21 12
which resolves to hex in base 10 form, aka an IP: 0.154.33.18


I’ve learned that //0xffff (etc.) also resolves to an IP on FF, Chrome, IE, Edge and Safari (Safari doesn’t do Punycode though, Chrome and FF do).

I opened up Firefox its source, but I couldn’t find where this type of resolution takes place. If someone has the insight to look it up quickly, I’d appreciate it a lot! [2] :smiley:

[1] https://www.ietf.org/rfc/rfc3492.txt

[2] GitHub - mozilla/gecko-dev: Read-only Git mirror of the Mercurial gecko repositories at https://hg.mozilla.org. How to contribute: https://firefox-source-docs.mozilla.org/contributing/contribution_quickref.html

@zaBogdan ? do you mean the upload capability is a rabbit hole?

@z3r0c001 If you don’t have the right permissions yes.

Rooted, great box, learned some new things that I haven’t seen before.

Rooted

PM for nuggets

Hack The Box

why is it that sometimes I can log in to the site within my new privileged user, but then I get a ‘Nope!’ when trying to log in to the admin console on the same session?

This box is turning into a big charlie foxtrot with everyone hammering away at it now. The chance that the file I need is in tact by the time I get to it is slim to none, even when automating the entire exploit chain in python.

So, I managed to login to the admin panel. But wondering how to proceed from there. Anyone willing to give me nudge in the right direction?

Is there some mechanism going on that is preventing my uploaded files from showing up when I search for them by exact Title or Author?

Starting this box tn… the comments r scaring me

Whoever is currently DoS’ing the box with Burp’s Active Scanner on the free EU server, can you please stop it? It will get you nowhere and makes the box unusable for others.

is anyone able to reliably exploit the path to User? I just want to make sure its not something on my end, because I tested my payload and thought it was correct, but it could have been the results of someone else’s payload for all I know…

Rooted.

User part is not well designed imho. The actions of other users can modify the behaviour of the application leading to unintentional rabbit holes. I lost hours yesterday because of getting a reply of the application that I should have never received. That really increases the difficulty for the ppl at free server.

Root is more adjusted to the initial difficulty, I did it in about 45min after getting user. I wonder how xtc took 3h from user to root, he probably went for a nap or something.