I’m struggling with the ssh step. I’m not sure how this exploit works and what I have to do. I tried to upload an ssh key for a new user but it tells me the key is invalid. Any nudges?
Check out the key format. It should be pem or it wouldn’t get accepted
1 Like
can some one tell me if im doing something wrong.
i got a socks proxy on the windows host and i think i found where the app is but i get an ssl error in burp.
pls dm me if you need more info.
i got it i had the wrong app, i found the right one and got the root flag.
shout out to lim8en1 for the assistance 
3 Likes
I got the LFI, but in order to get RCE, I think I need to have a legit PEM file on the server. So any hint would be appreciated! And also, I look around for potential login credential to the web page but got nothing
Friendly reminder. YOU DONT HAVE TO RESET THE BOX EVERY 5 MINS BECAUSE YOUR EXPLOIT ISNT WORKING
1 Like
Agreed, this makes this box almost unfeasible to attempt at this point. I didn’t have time to complete this before it was moved off of the individualized boxes and it’s terrible to try and go forward now
2 Likes
Finished finally. Everything you need for a hint is here in this thread, but PM me if you have any questions. All I ask is a + respect in return on the HTB app side.
1 Like
IMO the very first exploit (with php) is really hard to do on this box with everyone “trying at the same time”… unfortunately it’s configured to NOT overwrite if the exploit/file name already exists so it’s really a pain to “redo” it or, if anyone else has done it before you, it’ll be a mess…
The POC/CVE for this on the internet all point to the same “executable path” so, in the end, 90% of people will be pointing there (/dev/shm) and they will always use r**.php…
To be honest, I’ve tried making it run on another name but it didn’t work!! It actually never starts if it’s with another name… I’m not sure if I’ve missed anything and I won’t be retrying it now LOL… and I did a “quick test” by creating a file to print ‘id’ command… all right… then to create the file for reverse shell… no good. File already exists… then only way I’ve found was to reset but it was still when the machine had individual access setup…
So… if everyone needs to create a file /dev/shm/r**.php … and the file is “already there” and you can’t overwrite it… then only a reset will make it work 
Maybe the owner/creator of the box could push a simple “fix”: set the reset script to also clean /dev/shm/*.php along with everything else it does…
1 Like
Can someone who has gotten user PM me; I am stuck with root access in the container and could use a nudge. Thx!
you can just mkdir in /dev/shm and put the run.php in that folder.
then when you change the module path to /dev/shm you can load the module with the folder name you created.
if your exploit is not working, create another folder in /dev/shm and use that.
that way you dont have to keep resetting the box.
it was verry annoying when your pivoting and the box got reset again, i needed to automate almost every step becouse of that
2 Likes
Use burp suite to capture the post requests and send to repeater, then modify.
As for the cannot write, the payload can create new directories… E.g /dev/shm/a/r…
I didn’t try new folders when I did it… thanks for sharing that. This info is really good so others really don’t need to reset the box every try out 
Thanks again.
1 Like
I’m struggling in the Windows Privilege Escalation, if anyone can help me I’ll be grateful and will give respect to him.
DM please
What a machine! Big thanks to @Tomouhead for the push towards the SAML Tracer. This was a massive help.
Really enjoyed the machine, learned lots of new things.
Chisel and proxychains are a life saver on this box.
Feel free to ping me a PM if you are stuck.
3 Likes
for the love of all that is holy stop trying to reset the machine!!!
1 Like
none of the ports seem to be open on the DC other than the winrm port… im at my limit… maybe an issue with chisel? any nudges?
When I try to connect to winrm, I get this error ‘Enter-PSSession: Connecting to remote server 127.0.0.1 failed with the following error message : acquiring creds with username only failed An invalid name was supplied SPNEGO cannot find mechanisms to negotiate For more information, see the about_Remote_Troubleshooting Help topic.’
What’s wrong?