Hey Guys iam at the last task on the module Getting Started, iam so stuck to get the user and root.txt. I have try possible ways in my easy, upload a file it didnt work, exploid with metasploit it didnt worked too. Now my question is the site too slow or … i dont know how to get it … I hope anyone can help thx
I too am up to the knowledge test.
the target IP website is dreadfully slow, it takes some minutes for each page to load.
when i did find a place that i could upload a file that could enable reverse shell, the upload file button is not launching
can a HTB staff member check that all is well with this challenge?
@KnightOfNih said:
I too am up to the knowledge test.
the target IP website is dreadfully slow, it takes some minutes for each page to load.when i did find a place that i could upload a file that could enable reverse shell, the upload file button is not launching
can a HTB staff member check that all is well with this challenge?
It’s fairly rare for HTB staff to read comments on here - they are largely too busy.
If you want to get an issue resolved, raising a jira ticket is a much better way.
Hi everyone, I am suck with this box. There is what I tired :
run Nmap, 2 ports opened (22 openssh 8.2p1and 80 apache 2.4.41)
I found on cve.mitre.org (cve-2020-12062) :
"The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client’s download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that “this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol” and “utimes does not fail under normal circumstances.”
and for apache (cve-2020-1927) :
“In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.”
I don’t see any exploit with Metasploit.
Can you tell me if it’s the good way or if I lose my time ? Thank you!
Type your comment> @TazWake said:
@KnightOfNih said:
I too am up to the knowledge test.
the target IP website is dreadfully slow, it takes some minutes for each page to load.when i did find a place that i could upload a file that could enable reverse shell, the upload file button is not launching
can a HTB staff member check that all is well with this challenge?
It’s fairly rare for HTB staff to read comments on here - they are largely too busy.
If you want to get an issue resolved, raising a jira ticket is a much better way.
Thanks Taz, will do !
Type your comment> @ironhack said:
Hi everyone, I am suck with this box. There is what I tired :
run Nmap, 2 ports opened (22 openssh 8.2p1and 80 apache 2.4.41)
I found on cve.mitre.org (cve-2020-12062) :
"The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client’s download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that “this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol” and “utimes does not fail under normal circumstances.”and for apache (cve-2020-1927) :
“In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.”
I don’t see any exploit with Metasploit.
Can you tell me if it’s the good way or if I lose my time ? Thank you!
Hmmm I did find one exploit useful from metasploit though. I have gotten the user flag but I’m now stuck at the privilege escalation part. In the mrb3n user directory there seemed to be alot “interesting files” but I couldn’t think of any idea to exploit them. Any hints to help me continue?
@EnzoWhitehat98 said:
Hey Guys iam at the last task on the module Getting Started, iam so stuck to get the user and root.txt. I have try possible ways in my easy, upload a file it didnt work, exploid with metasploit it didnt worked too. Now my question is the site too slow or … i dont know how to get it … I hope anyone can help thx
Well it’s slow for me too, so I’ve been lazy going through the webpage and just simply search for an exploit for vulnerable versions on the website. Turns out you don’t need to do much enumeration or guess the admin pw. There’s ald a hint relating to the vulnerable version in the main page
I don’t know if you’re still confused by that or if anyone else is,but.
I wrote a blog about it, you can read it:每日一练 - HgTrojan