Hello guys!
Little help here. I’m stuck on initial foothold. Is the /vie**/conta***.h*** a rabbit hole? I never saw a htb box with actual emails and addresses.
Can anyone give me an alternative program and/or some readable on doing the payloads? ys******s seems to break down on me.
I’m playing around with the B***** and am getting an HTTP 200 response using a fast format with our ys********.N** tool. However I am not capturing any connections to my kali box trying ping or curl. Trying the other format with our tool gives a 500 error and also no connections with ping or curl.
Working on user all weekend so any tips via DM would be appreciated :). Learning a lot on this box…I just have a feeling something small is tripping me up.
Hints:
User: It took me 10000 years but there plenty of clues here. You don’t need a windows box, but I’m not good at windows so it was helpful for me to try stuff there and validate my syntax.
Root: There’s multiple ways and I’m pretty sure I took the ‘easy’ way. Lots of hints here already and really, I think user.txt was a much more substantial challenge.
PM me if you need a nudge 
Can anyone give me a hint on root (any way)? thx
@letsIG0rAWAY said:
Can anyone give me a hint on root (any way)? thx
The easiest way is to check payload all the things for a vegetable mentioned a few times in this thread. That works a treat.
I cant help with the harder way, other than to say it is hard.
Type your comment> @TazWake said:
@letsIG0rAWAY said:
Can anyone give me a hint on root (any way)? thx
The easiest way is to check payload all the things for a vegetable mentioned a few times in this thread. That works a treat.
I cant help with the harder way, other than to say it is hard.
thx,rooted,you are cool, i can sleep)
finally i make it,
After several days im now root. Really good machine with great lessons.
Hints,
Initial Shell- After enumeration you need to catch what happend for create your access, remember machine name .
Users - in fact, just the access give you the first user, just remember enumerate.
Root - just veggies …
I see other things on the server, interesting services running, but after much searching, nothing shows me the right path, if someone can share the knowledge, I will thank you.
Well that was hard, but I got there in the end. I think that from reading the forum on this, I knew how to get root before getting the user!
Tips for user: Look at the machine name and research. I can’t give any more clues without giving the game away.
Tips for root: I was lazy, but I made sure that I did it without using tools that aren’t allowed for the OSCP exam. So because of that my biggest tip would be to read this forum.
If anybody has any general questions about this box feel free to get in touch.
Time for bed me thinks!
Got root,
There are 2 possible ways to get root. First, you should see that in initial foothold, but it is hard because you have to work a lot. Second, just know well about user 
easier but you have to wait…
For user, just change something until you get error and learn about that error.
Ping me for help
pls pm me with a hint on how to establish a initial foothold. I’m seeing the encoded jn on being sent on the /a/t**** endpoint. I’m seeing yso******.n** in my research. I initially thought xxe but nothing is working. I am getting a 500 with a bunch of class references - yet clueless on putting this all together… a couple hints would be appreciated.
Community friends!
I’m reaching out a hand here for the initial foothold. I’ve identified the attack vector and also tried shooting my payloads against it, but I just can’t get it to perform any RCE.
So back to roots, I did spend some time to setup a local target environment and I have successfully got RCE on that system.
I have double/triple checked everything, but there must have been something I have missed here on json.htb.
Any help would be greatly appreciated!
I’ll share details of my findings in PM if needed
EDIT: rooted.
I used the reversing path to gain root
Finally, I have root on this box. User was harder than root, especially since I had zero experience with JSON. Happy to help anyone who is stuck, just PM me.
deleted
removed
Could please anybody help me. For a few days trying to build payload for /a**/A*****t/ to have ping back… Tried different rce gadgets. Build script to rotate all arguments from _0xd18f, with gadget’s payload in argument. Have 200 OK from server.
Edited:
Made things more complicated that they are. There is no need to use existing body structure + payload. Just payload from internet.
Got in with the initial login can see a**/a****** Not sure where to go from here though. Would it be possible to get a hint in my PMs?
Type your comment> @nazars said:
Could please anybody help me. For a few days trying to build payload for /a**/A*****t/ to have ping back… Tried different rce gadgets. Build script to rotate all arguments from _0xd18f, with gadget’s payload in argument. Have 200 OK from server.
If you are getting 200 OK response, you are doing it wrong 
Anybody kind enough to pm some assistant. I understand the concept, just having some issues crafting the payload correctly 
To whoever made the script that I found trying a hoop to hoop shot by looking for that b64: dude YOU ARE A F*CKING GOD.
I was looking for the manual to tell me what to use so I could pass it on to my good friend John, but I had had no luck so far.
Now I’m going to give it a second shot to the vegetable way so I can get root on my own.