Thank you for your answer, I’ve seen this while searching the net but I really don’t see how I can do this ^^’ If you have any resources to guide me, I’m all ears.
Thanks for the hints from everyone, I have solved the challenge.
Feel free to DM me if you have stucks during solving it
Anyone having any issues actually seeing the website? I keep getting a 301 code when trying to access the site on port 80.
If you enumerate the page itself it would show you that that was the parameter needed.
I’m also interested in how/where exactly to find information about its GET-parameters… found no clou on the page itself. A nudge would be highly appreciated.
You need to properly enumerate all the pages, one of the pages will show which parameter you need to use.
just got root! here are some tips for the user flag.
- make good use of your browsers debugger when texting your payload, especially if you are not good with javascript. it’ll tell you what’s wrong
- test your payload with something common, like “google” and see if that works.
- test your payload with something you know exists, like index.php
- write everything down! every little detail you can get, everything you can reveal, every response you get. analyze everything. everything you need to know is there. if you are stuck, start from the beginning and enumerate as much as possible. you may have missed something.
i am free in my dms to give more hints
Got root flag. Thanks to everyone for the tips and hints. It was a lot of fun and I learned a lot.
Pwned. Thanks to everyone for the tips, they were very useful.
I am stuck with initial foothold,
i think i know the flow after reading this forum,
the problem is i always get like %0A everytime i tried to read some files…
the connection is established… im not sure anymore,
any hint? appreciated
You have to chain a couple exploits together.
If you found more than one vulnerability, think about how you can combine them…
The initial foothold and subsequent enumeration were quite tricky for an easy box, although its all very conceptual and realistic. Root was a bit easier. It took no time to figure out what to exploit, but I ended up overthinking and taking too long to figure out how/where to exploit it. For root you have to be quick… make sure you’re weary of the time.
hey bro help with this machine
can you elaborate a bit here? I found the messages.php but not the param. Running combination of param name and LFI param seems to be taking forever since there are 6m combination
❯ ffuf -u 'http://alert.htb/messages.php?FUZZ=VALUE' -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -fs 1 -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:VALUE
I’ve tried to do this for testing but this doesn’t produce anything useful
❯ ffuf -u 'http://alert.htb/messages.php?FUZZ=../../../../../../../../../../../../../../../../../../../../../../etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ
but I don’t find anything useful, even curl directly doesn’t give back anything useful
❯ http get 'http://alert.htb/messages.php?file=../../../../../../../../../../../../../../../../../../../../../../etc/passwd'
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 1
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Jan 2025 12:08:56 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
I have solved the box. I have a question about the vulnerability, (not related to solving the box,)
Why giving this payload, message=‘http[://10.10.14.2:8888/’ makes the server make a get request to the url. I looked through the code, but could not find how it is doing it. Can someone help me plzz?
Anyone around to help a noob out? I understand the xss in the md file we can upload. I read in the comments about finding a subdomain, but can’t seem to find any? used both gobuster and ffuf but have had no luck finding anything. thanks in advance!
“How did everyone know that it is necessary to add the ‘file’ parameter after the me****e.php file?”
subdomain?
sorry i am unable to find one, maybe i an using the wrong wordlist, could you provide me which wordlist you used cause i cant find any subdomains.
i used
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u “” -H “HOST:FUZZ.” -t 500 -r -fs 966
The command that you are using is not right, wordlist is apt.
ffuf -w ~/wordlists/subdomains.txt -H "Host: FUZZ.ffuf.me" -u http://ffuf.me
this is the command, and then you may use filters as needed.