rooted. Little bit stuck on user, but confirm right direction in this topic and continue to try.
@gosusnkr said:
@env said:
So, based on the github code I know that the file is going to be uploaded in http://10.10.10.121/s*****t/u*****s/t*****s/And from the github code it was stated even though if the page throw an error like “File not allowed” and etc, the file was actually still uploaded and saved on the http://10.10.10.121/s*****t/u*****s/t*****s/
But why if I upload .jpg file, I can find the file with the script. But if it’s .php (not allowed file), I can’t find my file.
Can anyone help me? Thanks
use double extension
I’ve use
filename.php%00.jpgmanaged to find the url but can’t run my php script
filename.jpg%00.phpthe script won’t find any url regardless I’ve changed my TZ and extend my script loop.
@Shadowgown said:
@env said:
So, based on the github code I know that the file is going to be uploaded in http://10.10.10.121/s*****t/u*****s/t*****s/And from the github code it was stated even though if the page throw an error like “File not allowed” and etc, the file was actually still uploaded and saved on the http://10.10.10.121/s*****t/u*****s/t*****s/
But why if I upload .jpg file, I can find the file with the script. But if it’s .php (not allowed file), I can’t find my file.
Can anyone help me? Thanks
Are you sure the file is not allowed?
I recommend you check the source code, as people have linked before.Also, any hints for root? I can spawn a “pwn” shell, but I cant seem to escalate using that one. Could someone please give me a hint? PMs welcome!
Yeah my bad, what I mean is the page will throw an error. But according to the github code the file would still be moved to the upload directory regardless the file is allowed or not.
Edit 1: Looks like the problem was on my uploaded shell. I change the shell and the script is working!
Edit 2: Rooted! Thank you so much for those who have helped me! For anyone who need a help just PM! 
Changing my shell fixed the issues I was having in getting the privesc to work. The one I was using didn’t show errors and I was presuming something different was happening.
I’m going to give the higherport a go at another time so will be back!
please advise, how did you query that other port for creds. I figure out it is q…l endpoint.
@andrhtb said:
please advise, how did you query that other port for creds. I figure out it is q…l endpoint.
Happy to discuss how I approached it. I’ll send you a PM. 
Hi, I’ve got access to the ticket system, and believe the files should end up in /st/us/ts/, but have been unable to verify path using 40.py. I’ve offset the time in the script with one hour, since I’m one hour ahead of London, and have extended the range, but no luck finding file I uploaded. Any hints on how to upload file/what filename to use to locate it again?
please give a hint on root. I am looking at g0tmilk priesc guide. Not sure what is it? is this a…che running as root that will help me here?
rooted
Rooted. Nice box overall with some obvious rabbit holes.
Thanks to @0v3rride and @aquira for the tips, but you got plenty of hints all over this thread.
My pointers:
- Initial foothold and local user - scan all ports with nmap (beyond the first 1000 popular ones, goes without saying) and note what web app you are presented with and how you can use it to gain the initial foothold for local user.
- Root - Root was surprisingly easy.
There are several straightforward paths/exploits to use, enumerate locally with either known linux privesc scripts or using the great Basic Linux Privilege Escalation guide by g0tmi1k if you want to go the hard way:
Basic Linux Privilege Escalation - g0tmi1k
(Focus on “Sticky bits, SUID & GUID” and proceed from there )
Hmm, properly stuck on initial entry. My managed to find an extension that allows upload, set myself to what I think is the correct time and edited the script to reflect that file extension.
Anyone able to give me a hint on where I might be going wrong. This box has me more stumped than harder boxes!
Saw this today. Had to add it. Hint for that service on port 3000.
Finally rooted. Thanks to @sickwell @safexsal and all others either in DM or public. This was an interesting machine though user was not that easy. I haven’t figure out on how to send a proper request for higher port to get creds but after struggling for a while was able to get shell by checking code on github.
Now root, root was super easy if you know what to use. I didn’t even looked at that direction. It was super fast if you know what to do. Check for versions of stuff to find an existing exploit.
Could someone PM me a hint as to what the file I need to upload? Is double extension needed?
I am able to upload file, but not sure where is the file path. By looking at source code it seems that it’s located at /st/us/t*****s but I am not able to execute the file. Can anyone give me a hint? Or correct me if I am wrong.
Edit1 : Got user. Had to reset the machine.
Edit 2: Rooted.
PM me if you need any hints.
Finally rooted! Was on the right track but between unstable shells and not working exploits I found root was way more difficult than user, unlike many other comments mention.
- User: Enumerate, find the proper paths and with the correct exploit use simple web shell to gain first access. Extra hints: ignore the errors and no need for time travel.
- Root: Basic enumeration, check for GUIDs, research for the exploit and try all of the source codes in different shells if you don't succeed at first.
Many thanks to @clmtn for pointing the right way when I had doubts.
Yes! Finally got Root!
@Epictetus said:
Hmm, properly stuck on initial entry. My managed to find an extension that allows upload, set myself to what I think is the correct time and edited the script to reflect that file extension.Anyone able to give me a hint on where I might be going wrong. This box has me more stumped than harder boxes!
Finally got root and user with thanks to @env and @andrhtb
Some of these boxes are a real learning experience. I think I did root wrong in many ways, but managed it with metasploit in the end.
Hello!
This is my first time in the HTB that I am actually trying to solve a box, after some days making lots of progress and learning A LOT I was stucked on the same spot and thought that it was time to get some help on help.
Was really happy to see that I already had found lots of things that was said as previous hints, actually I kinda know what I have to do but, as I am really new to CTF and pentesting some trivial stuff is unkwnow for me.
Some one can PM me (or I can PM someone) to solve some pontual questions, promise that I dont what the answersm just to be pointed in the right direction.
Thanks
@Ammit said:
Any hints for Priv Esec looked at searchsploit, keep getting an error on execution./xxxxx
error invalid argumentexecuting from within a reverse python shell
i’m getting same message, did you found a solution ?
i don’t know what can i do for get access in the machine, i used nmap i saw the ports are opens and i try to use metaexploit on port 3000 n***.js but i can’t. Help me pliz