Toughest machine of season III (for me at least)
Enjoyed the ■■■■ out of it.
1 Like
if my revshell shows up after ssrf but its just … all garbled, am I almost there? about to throw in the towel.
as in… it’s uploaded, i can get it via SSRF, the preview window pops up and… nada. i set hte mime to text/html, and changed the extension to .aspx and yet…
I had the same problem with the pdf. So I copied the Bella’s pdf that is already uploaded and upload it with the revshell.
fixed. for those having the same issue, i was accessing the file the wrong way. use the website’s functionality, don’t try to cut corners.
Rooted that hard one! Cookie, SSRF and dll hijacking are your friends.
For tips, PM me.
Rooted. Massive MASSIVE thanx to @JimShoes for all the assistance. I was helped out throughout the entire week due to his patience and guidance and I can’t thank him enough.
Taking on this box has taught me certain things. The techniques used in the completing it I don’t think are particularly difficult on the surface, but making sure some detail isn’t missed and chaining certain things together is where this box shows its difficulty. As is seemingly custom for this season, everything here is simple misconfiguration. There aren’t any wild exploits or bugs to use. It’s all simply making use of what’s on display, or even hidden in plain sight.
The foothold was probably the hardest part for me. I missed so many things that if I had taken things a little slower and looked around a little more closely I would have seen pretty easily, or at least caught my eye. My HTB IP address changing at some point didn’t help out in one particular case so I thought what wasn’t an exploitable place turned out to be just the opposite. I was also enlightened (with the help of @JimShoes) about testing a particular port number that I didn’t think about. It makes complete sense in retrospect, but I doubt I would have gone there with his help.
I actually really liked user and root. User kind of sets the stage for root and, in fact, foothold also has a hand in setting that stage. xRogue really deserve some major props with the setup of this machine. It’s like watching a good movie where you get some great payoffs at the end. Very nice! But, as with the rest of the box, attention to detail and a little bit of educated guessing is necessary. Also, making sure proper enumeration is essential! I missed something entirely because of not following through with enumerating things in the final stretch. I should have learned this a while ago, but here I am learning it again: If I’m stuck, start back at the beginning because maybe, just maybe, I missed something important.
Anyway, super thanx again to @JimShoes and thanx to everyone if you read this far. 
1 Like
I’d like to thank whoever triggered my .dll payload before I could figure out how to do it myself.
Hahah
As I understand the service trigger all the dlls in the folder. Just need to have the name file[whatever].dll
Actually when I did I put more than one with different payloads.
Glad to help. Keep at it!
2 Likes
Anyone needing hints, feel free to reach out.
1 Like
Can someone help with uploading part ? uploading pdf file with reverse shell and doesn’t work, even doesn’t upload a pd file
If your uploads are being blocked, try various ways to bypass the block. There’s nothing too complex in this part so if you do some quick research I’m sure you’ll get it. DM if you think you might need more help.
1 Like