Could someone PM me a hint how to use the LFI? I guess I upload a php file and then call it from the dashboard page… And am using the full path. Not working for me…
…getting “Something went worng”… message…
basically stuck at “haha” like so many other people, lol
I got user and root, thanks @DaChef and @BigBoss
I’ve been stuck at haha for days…not so haha. tried various LFI tricks, i can see the path from my enumeration…i don’t know what the ■■■■ i’m doing wrong. any hints? thanks
This was one the most difficult machine I’ve faced until now. Not because it’s really hard, but because it’s so full of rabbit holes that makes you crazy!!!
Anyway, I’ve got user.txt (after a couple of days) and root.txt, that need a couple of minutes if you know what is going on, but a while if you want to learn something new 
Thanks to everyone that helped me, expecially to @p0wn3y for the first part and @m4xp0wer and @absf1 for the root part.
A couple of hints:
initial foothold: enumerate every port you’ve, every information you get can be useful for the next steps, and I mean every!
user: when you get the right page (that gives you “information” about what you should do) try to understand well what is going on
root: enumerate well, something will come up (follow the g0tmilk guide). As other have said, then follow the snake. Try to understand well how it works and you’ll be fine
PM if you need more help!
@KaiserPhoenix said:
- user: when you get the right page (that gives you “information” about what you should do) try to understand well what is going on
Absolutely, I’ve spent an hour reading up on what I’m doing and what to do with that, which made understanding and using the vulnerability in that environment super easy. Once I understood what’s going on, it was a walk in the park. (total beginner here btw…)
Rooted! Thank you very much for @askar for this box! If anyone need some help feel free to PM 
Totally stuck. Did Z*** T******** on famous ports but can’t get anything out of it. Can someone pm me? Thanks
Edit: Confronting to LFI now
Could use help with this. There has to be a way to do PrivEsc without having to modify a python library right? Seems like a good way to break the box and force a reset
I am about to lose it over dns enum. could somebody please PM me and tell me how to properly edit hosts?
Edit 1: got it, time to confront LFI
Edit 2: Rooted
Tips -
Initial foothold: enum 53 like ■■■■. Ippsec bank really is the way to go. dont forget different web protocols…
User: to get to RCE you need to enum 443. once you get to the fabled HaHa you need to really understand what the script does. the vulnerable param might surprise you. find your uploads through nmap scripts.
Privesc: to escape w******a you need to look nearby. For root, check what unusual files you have access to and go with your gut. As has been said several times, pspy is awesome.
thanks to @askar for the awesome box, and @KaiserPhoenix for the help with DNS
Stuck on LFI like many others, I know the file location, I’ve uploaded files. Can’t get the ti******* parameter to hit it though.
Any hints would be appreciated.
Hints/Tips for this box:
Enumeration obviously, admin thing (pay attention to listing details), ZTs!, lfi (lots of noise, keep it simple)
I’m new to htb, can someone pm some hints. I’ve enumerated as much as I know how to and gotten back most of what people have mentioned. I think I’m missing haha and c***.txt but not to sure where to go from here
I’m completely stuck on privilege escalation for a day. I thought I knew where to go but I’m just stumped. If anyone could offer a nudge it would be greatly respected.
Thanks @AnonyBit for helping me with root.
For those stuck on LFI: Do more research what LFI is and what it can do. Start from zero and verify one assumption at a time. In other words: Try harder :lol:
I am back again. I was bussy in the OSCP lab for exam prep. I am working on root but my exploit is not working. I ask my colleque for help but he has the same problem. I can go in details because of spoiler. Can someone send me an PM to discus this?
This box was simply fantastic. It really helped me refresh some lingering enumeration skills and made me think. I missed the answer about 5 different times and without a much needed nudge from @marvin7408 I’d still be stuck.
Very CTF but still and excellent box.
Found the admin page and credentials. Used a different computer that I no longer have access to, and by using burp and changing host, I got a 200 code.
Yet now, on my own laptop, I keep getting 400 codes.
Anyone know the login step that they can help me with? Or if there’s another way to work on the admin login page?
Stuck with LFI for days already, tried probably everything. I guess I know the location where to look for, but nothing seems to work. Would really appreciate if somebody could message me and put me on right direction.
Like others I got stuck with the LFI and thanks to @zweeden got unstuck. My issue was not thinking enough about extensions - not being a p*p coder. As always, learned a lot.
Help wanted for LFI and RCE, PM me to know what I’ve done yet. Thanks for your help.