Official Appsanity Discussion

Toughest machine of season III (for me at least)
Enjoyed the ■■■■ out of it.

1 Like

if my revshell shows up after ssrf but its just … all garbled, am I almost there? about to throw in the towel.

as in… it’s uploaded, i can get it via SSRF, the preview window pops up and… nada. i set hte mime to text/html, and changed the extension to .aspx and yet…

I had the same problem with the pdf. So I copied the Bella’s pdf that is already uploaded and upload it with the revshell.

fixed. for those having the same issue, i was accessing the file the wrong way. use the website’s functionality, don’t try to cut corners.

Rooted that hard one! Cookie, SSRF and dll hijacking are your friends.
For tips, PM me.

Rooted. Massive MASSIVE thanx to @JimShoes for all the assistance. I was helped out throughout the entire week due to his patience and guidance and I can’t thank him enough.

Taking on this box has taught me certain things. The techniques used in the completing it I don’t think are particularly difficult on the surface, but making sure some detail isn’t missed and chaining certain things together is where this box shows its difficulty. As is seemingly custom for this season, everything here is simple misconfiguration. There aren’t any wild exploits or bugs to use. It’s all simply making use of what’s on display, or even hidden in plain sight.

The foothold was probably the hardest part for me. I missed so many things that if I had taken things a little slower and looked around a little more closely I would have seen pretty easily, or at least caught my eye. My HTB IP address changing at some point didn’t help out in one particular case so I thought what wasn’t an exploitable place turned out to be just the opposite. I was also enlightened (with the help of @JimShoes) about testing a particular port number that I didn’t think about. It makes complete sense in retrospect, but I doubt I would have gone there with his help.

I actually really liked user and root. User kind of sets the stage for root and, in fact, foothold also has a hand in setting that stage. xRogue really deserve some major props with the setup of this machine. It’s like watching a good movie where you get some great payoffs at the end. Very nice! But, as with the rest of the box, attention to detail and a little bit of educated guessing is necessary. Also, making sure proper enumeration is essential! I missed something entirely because of not following through with enumerating things in the final stretch. I should have learned this a while ago, but here I am learning it again: If I’m stuck, start back at the beginning because maybe, just maybe, I missed something important.

Anyway, super thanx again to @JimShoes and thanx to everyone if you read this far. :slight_smile:

1 Like

I’d like to thank whoever triggered my .dll payload before I could figure out how to do it myself.

As I understand the service trigger all the dlls in the folder. Just need to have the name file[whatever].dll
Actually when I did I put more than one with different payloads.

Glad to help. Keep at it!


Anyone needing hints, feel free to reach out.

1 Like

Can someone help with uploading part ? uploading pdf file with reverse shell and doesn’t work, even doesn’t upload a pd file

If your uploads are being blocked, try various ways to bypass the block. There’s nothing too complex in this part so if you do some quick research I’m sure you’ll get it. DM if you think you might need more help.

1 Like

I’m in the portal and pseudo-understand what to do: I know I need to upload a PDF with a revshell, however this is the part where I’m failing. I’m requesting the file via SSRF in the Prescription Link and I see the preview of it, but I’m unable to spawn my shell. I’ve tried many methods of creating the PDF but I’m stuck. Any help would be much appreciated.

hi guys! the machine “Analytical” always redirects to the link:
I think it’s not the direction of the training machine, correct me if I’m wrong…

Figured out my woes. what a fun box!

Is it just me who’s having issues uploading the shell (even with correct format), I get a connection timeout trying to upload. I’m able to upload a short .txt file (with the correct format), so i think the machine is struggling with processing the larger shell?

I’m on free subscription if that makes a difference