Official Time Discussion

Type your comment> @unkn0wnsyst3m said:

Type your comment> @duongsake21 said:

Machine response to me “********* re**** *** SYS”, But don’t have any thing back to me. I don’t know it became by connection or i did it in wrong way :frowning:

the first time i ran this it worked, now a few days later i am back and got errors like this as well as timeouts…maybe that’s why this is called time?

headshake - it worked, checked my http serving directory, the errors here dont seem to necessarily add up, which makes sense because you are leverage processes in an unintended way.

rooted, fun box. initial enumeration was a pain. Like @TazWake said, google all the error messages and it will point you to the right CVE.
PM for nudges

Yes, i use CVE, i have rev shell… connected but now? :frowning: Little hint?

@tortellino said:

Yes, i use CVE, i have rev shell… connected but now? :frowning: Little hint?

Grab the user flag, enumerate - enumscripts can be useful here. Find something, look at what it does. Modify it to your ends.

Yes, if i little help other… you image a two tunnel.
Now i’m to going to root. Hint?
It’s my second box.
@TazWake said:

@tortellino said:

Yes, i use CVE, i have rev shell… connected but now? :frowning: Little hint?

Grab the user flag, enumerate - enumscripts can be useful here. Find something, look at what it does. Modify it to your ends.

@tortellino said:

Yes, if i little help other… you image a two tunnel.
Now i’m to going to root. Hint?
It’s my second box.

You need to enumerate. It’s hard to be any clearer without telling you which file to look at.

Oh, this one was very quick.

I think there is enough hints around here. However, as I saw some ppl complaining about having their root shell dropped, you should know that there is more than a way to get your shell right?

I also had this problem with my first approach (don’t know why), but my second try worked like a charm.
:slight_smile:

kindly please give me some hint.i’m still in a deep rabbit hole.can advice is appriciated.

@L4c3fer said:

kindly please give me some hint.i’m still in a deep rabbit hole.can advice is appriciated.

Any hint? Ok - use nmap to find open ports, when you find an open port, look into it and see if it has anything you can use to exploit the box.

If that isn’t much use, it might help if you give an idea of where you are, what you are trying to do, what has failed and, ideally, why the previous hints haven’t helped.

@TazWake didn’t get Json dese******* exploit that work

@L4c3fer said:

@TazWake didn’t get Json dese******* exploit that work

I am not sure I used an exploit you’d describe that way. The one I used was based on googling the error messages.

Could someone give me a nudge on the CVE? I googled the hell out of the error messages and I tried all CVE PoC’s i could find, and none work. I don’t know what I’m looking for anymore.

@Foxar said:

Could someone give me a nudge on the CVE? I googled the hell out of the error messages and I tried all CVE PoC’s i could find, and none work. I don’t know what I’m looking for anymore.

The one I used has the last five numbers add up to 18.

hi @TazWake, can I PM you, can you give me sanity check on the exploit?

@blackbrownco said:

hi @TazWake, can I PM you, can you give me sanity check on the exploit?

Yep.

thanks @TazWake for the nudge! the box has been rooted!

Think I need a nudge. I’m trying not to follow advice I don’t understand, and I’m currently all out of ideas. I know where the vulnerability is and I know how to use the vulnerable functionality in the way it’s intended. I don’t know how to exploit it and all my ideas have failed.

I’ve narrowed it down to 5 or 6 CVEs, and I feel pretty confident that my own process would have led me to look these up sooner or later based on the errors I’ve uncovered. I have a generic question about CVEs. The ones I’ve looked up for this vulnerability all seem too vague to be really informative to me but they all have relatively high severities. How do experienced hackers approach CVEs like these (without spoiling the machine)? There are github links to the actual changes, but the one I think is the vulnerability on this box consists of 20 something commits, and I’m not quite at the point where I want to pore over 800 lines of someone else’s code to solve this box unless that’s actually what you all did, and after 5 pages of forum posts, I’m guessing that’s not the case.

@leadOctopus said:

Think I need a nudge. I’m trying not to follow advice I don’t understand, and I’m currently all out of ideas. I know where the vulnerability is and I know how to use the vulnerable functionality in the way it’s intended. I don’t know how to exploit it and all my ideas have failed.

The best thing I can suggest is the same as the previous answers - try something, look at the error, google the error.

This will, eventually, narrow it down to one.

The ones I’ve looked up for this vulnerability all seem too vague to be really informative to me but they all have relatively high severities.

This is fairly common. There is a constant debate about how much information people should include within a CVE disclosure. Some high profile security people feel it helps attackers too much if it contains anything useful.

Part of the argument about HTB’s ratings is based on how well any relevant CVEs work without modification/research. This is a medium box, so there will need to be modification to the public exploits to make it work.

How do experienced hackers approach CVEs like these (without spoiling the machine)? There are github links to the actual changes, but the one I think is the vulnerability on this box consists of 20 something commits, and I’m not quite at the point where I want to pore over 800 lines of someone else’s code to solve this box unless that’s actually what you all did, and after 5 pages of forum posts, I’m guessing that’s not the case.

I am not a hacker, so I don’t want to guess how other people work, but in general, the process is reading through and poring over the code.

With this box, I’d suggest trying the CVEs you have. See if they should work, then see if you can get them working. I found the initial steps narrowed it down to one, which made it easier to eliminate the bits which worked vs the bits which didn’t.

User took me ages and it was one of the first exploits I looked at that I needed to use. Went away from it for a few days and came back, tweaked that one a bit and got in. Root took about half an hour and most of that was automated.

Hello! Its the first box i am doing. I read all hints here but still I cant find the correct CVE for user. After founding 2 error messages I narrowed the list of CVEs.
I have focused on a specific blog post and a corresponding github example, but I cant perform any RCE. So i have 2 questions:

  1. Can I PM someone so I can make sure that I am working on the correct CVE?
  2. Do I have to pass my exlpoit through burp? I was passing my exploit through the web form. Will burp make any difference? If yes, why?