This one is busted. 502’s for hours…
How did you manage to get the reverse shell ? I know there is image upload , but when I try to upload .php, .php.jpg, .php.jpeg or even .jpeg file with reverse shell the app always returns the .jpeg and I am not getting reverse shell.
Hi,
I’m trying to get the admin access on the subdomain: According to @meowmeowattack, I check requests when updating my account on this portal. I was thinking about PHP session hijacking, as I found what seems to be the PHP cookie of Jeremy Hammond thanks to SQLi but it doesn’t work. Am I on the right path ?
Thanks!
When you register and login try looking around your account with Burp, there is something you can change that will give you further acess.
hi there, i’d suggest using a png file for image upload type of things, because the file format is cleaner than other formats. once you upload the malicious image, there is a place on the web where you can learn where the file is uploaded to. because the file contains reverse shell, it should be considered a broken image, right?
He everyone, are we supposed to do pivoting after the reverse shell ?
yes you will have, check ifconfig and ip a
try scan with bash or upload nmap binary and run scan 
Can anybody help me ?
I have discovered the admin page, but when I try to upload reverse shell hidden in an .png image, and triger it. I get error on line 108 something something = ’ ’ ASCI.
I even tried replacing the content of the image with only a rever shell but nothing gets triggered. All I am getting is error on line 108. Nothing works
@BluesyPompanno I PM you
Hi everyone, I have the reverse shell. I found the db on the other host and I can read its content but don’t find anything interesting…
scan the intranet. there are more dbs (and other hosts).
Did you ever figure out how? Maybe its possible to add 4 bytes to the beginning of shell file and fool the API into thinking its actually a jpg.
Anyone got a good guide on pivoting? Meterpreter’s port forwards keep closing on me.
Still unable to pivot or tunnel. My ports always end up in CLOSE_WAIT. Help would be appreciated if anyone is still around…
I am stuck on replacing the “hash” in the mongodb
(steps described by meowmewoattack (DB storage which is fruity).)
I run the command to replace it but it does not update, no errors but returns saying that nothing is changed. Any one facing the same issue? (I can read stuff but the update set doesn’t seem to work)
- look through all the info in this db, you will find another subdomain and a bunch of users
- don’t try to crack the users, replace them instead
- you should now be able to access the support system
This was the best box that i’ve did here on HTB!! i like it very much and i learned a lot from it
There are few tricky things , however i think that the hints from @meowmeowattack are more than enough. For anyone stuck feel free to PM.
looking for nudge, i have a basic shell, have identified some creds, not sure what to do with them.
this list was very helpful, rocketed me through user and to the fourth step in the root flag. totaly stuck here on how to pivot the traffic, the method i used earlier is not working. getting an issue with connection refused by the target on the other side of the pivot. 