Official C.O.P Discussion

Official discussion thread for C.O.P. Please do not post any spoilers or big hints.

hey guys! i found a sqli, but i cant read or write files and cant get os-shell. what’s next? any hints?


You already got a hint - maybe you have not recognized the hint.

1 Like

I’m stuck at the same point :smiling_face_with_tear:
Have tried a lot of things without any result. Any small hint?

1 Like

I found sqli but can not read any server data i am trying SSTI but nothing :upside_down_face:


Does the challenge work for you guys? I managed to pull the exploit locally but no luck on the actual server, wondering if it’s a me thing or not haha

1 Like

what kind of exploit is that?

1 Like

I used the given files to create a local Docker container. As Docker server I use Flatcar Container Linux in a VM. My exploit works with both the local instance on my server and the instance on the HTB server. I did not notice any difference.

I’m also having this issue, have a local exploit working, but when applying the exploit to the live instance, the connection hangs. Tried regenning VPN etc but no dice.

If anyone has any ideas or hints that’d be amazing.

I do not use a VPN to connect to the HTB server for the challenges. The IP number of the challenge docker containers is reachable when the HTB website is reachable.

Maybe you are trying to connect from the Docker container to your local computer. Then your computer must be reachable from the container inside the HTB server.

Hey, I’m just using the HTB VPN, can connect to the live instance and browse the challenge website etc, but when attempting to send the exploit it hangs unresponsive. The exploit is purely local, dumping the flag to a location I know I can browse (hope that isn’t a spoiler, but seems pretty standard practice for the challenges as opposed to going for a shell etc)

I just checked it now. Writing and reading a file with an exploit is possible with my local Docker container and the Docker container running on the HTB. No change between local instance and HTB server was needed (only change of IP and port number).

The access works for me without VPN, only with the specified IP after starting the challenge.

The challenge was pretty straight forward, no difference if you tests your payload on a local instance or on the actual HTB container.
For anyone stuck, feel free to drop me a PM.