Rooted!
The real challenge is to know what is the interesting parameter in the download photo request. I’m thinking about how does the file conversion works…
1 Like
can someone dm me regarding user?
I wanna know why whatever test I tried on the parameter, doesn’t seems to work. not even whoami or ls.
but when I did the reverse shell, it works fine. how?
Nice machine, Thanks!!
Hi all,
I finished the machine, but there is one place i can not get
I got reverse shell using Python, but was not able to get it using simple bash command. I tried to enter command explicitly and tried using base64 encoding. No luck. Yes, it was properly URL-encoded.
Rudolf
Because when you test it you won’t have the stdout or stderr piped in the answer. The fact it doesn’t behave like the other parameter is enough to think it is vulnerable.
1 Like
Rooted, but I needed help for the foothold, because of an insufiscient knowledge of Burp and also on the parameters poisoning. TIL
Thanks to slartibartfast for his work!
1 Like
rooted. need some trick to get stable shell since my command dont return anything when using the “traditional way”
Just completed this machine - fun, especially getting root.
For root, I ended up creating my own version of the test “[” command that would always allow the cleanup.sh script to run the log copy. I did this by checking for those parameters and returning the “correct” answer - for all other invocations, I just passed the parameters on to the real “[” command. I then replaced the log file with a symlink to /root/root.txt. After changing PATH to give priority to my “[” command, when the cleanup.sh script is run, it basically copies the contents of the root flag to the log backup.
I did have a question regarding the command injection. How realistic is that? Would you expect to just basically try it out and see on various parameters? As a hacker, what would make you suspect that the parameters were part of a command that is run in the shell, instead of parameters being passed to a function? I initially assumed that the image conversion was being carried out by a library such as rmagick instead of a shell command.
one of the three parameters is afraid of needles 
for starter, try poking yourself first to see. when you receive poke, you are on the right track to get reverse shell
Rooted!
Found the vulnerability, but not able to take shell. Tried to telnet its working, still not figuring out what will be issue, Even reset the machine. Anyone please suggest.
try some different shell payloads, verify your cmd execution with something like sleep or curl to your own machine to verify it works
I was able to find the authorization and conduct some enumeration when logged in. I found some information I have been trying to work off of, but at the moment I am stuck. If someone could DM me so I can see if what I am doing is on the right track I would greatly appreciate it.
Got root. Not that it is needed but did anyone crack the hashes?
May someone help me with foothold?
Thanks
for those who feels lost and needs some references to help them understand and solve the machine by themselves, here are some references that helped me to figure out what should I do :
for user:
- What is OS command injection, and how to prevent it? | Web Security Academy
-
Reverse Shell Cheat Sheet With Examples [100% Working] | GoLinuxCloud
if something doesn’t work with you move to another option. be AGILE.
for root:
-
Linux Privilege Escalation using PATH Variable manipulation | by Prajwal Patil | System Weakness
for dumb shell you can put /bin before each command.
hopes it can help you and pm if you need any help.
1 Like
I am new in hacking. For the privilege escallation, I had to dig a lot into the sudo and sudoers man pages. Learned a lot 
A surely interesting experience, this is my first machine aside from the starting point, and it is so different from the challenges
For the first time HTB was letting me get a reverse shell 
In fact, I liked it so much that my past eight hours were spent half pwning the machine and half creating a script to help me enumerate, maybe tomorrow it will be complete
If anyone coming need any help, R is always here 
Hi I am new to HTB and been doing Starting machines. I decided to give my hand a try at this machine, but I am have no idea where to start lol
I am not sure if this is considered spoiler talk;
I tried the basic nmap, nothing. Told me something about ping, so I did the nmap scan again with -Pn and still didnt get anything. I am probably doing some of the super basic stuff that probably isnt going to help me lol.
If anyone can DM me or give me a few pointers on getting started I would greatly appreciate it!
I can surely help anyone who needs, I sent you message on the topic with a basic tip, but if you want to know more to get inside, I can also guide you through the machine
For anyone else, R is always here, just send me a message on private and I will answer as soon as I log in