Official Timing Discussion

Official discussion thread for Timing. Please do not post any spoilers or big hints.

Hi there,

Any hint to start because scanning did not reveal anything exploitable, fuzzing neither (nor bruteforcing…).
Maybe i’m missing something under my eyes (or tired maybe :slight_smile: )…
thx guys

Paying close attention to http status codes while fuzzing for other pages may reveal something that doesn’t require authentication. Go from there.

Thx, in fact i was stucked cause of a bad dictionary…sad :frowning:


Is Timing machine working right now?

I’ve spent a few days wornking on it when it was a realease machine. The problem is that the machine was moved to regular lab and I’m not able to connect anymore.

Yes, I’ve checked if openvpn is working properly and using the correct vpn file config for connecting to labs instead of realease area.

Some ideas?


download vpn file from classic htb and use the ip I had the same issue and this worked for me dont know why.

Thanks, this host is working using new lab openvpn config file. The IP that is shown in the webapp when the machine is launched is wrong (

Hi there,
Same problem for me…
Till yesterday evening, was working on the machine and then, around 20:00 (UTC+1), Out of Order…
I remembered i already had this before.

The Timing machine is migrating from Arena to “normal”.
Then, as my machine was started, it remains in an ambiguous state till it would be shutdown by HTB after the idle time.

Moreover, the Search machine wich is in release got the same private IP and i cannot stop it nor start the Timing machine migrated in the standard lab !

It sounds crazy i know but already experimented that with an arena release …

Ok, this day, all returned to normal, and works :slight_smile:

cat user.txt → done :wink:
It’s either me becoming slower and slower or HTB box rating becoming harder and harder ^^
Took me 2 full evenings to get to user !

It’s a nice box so far… so onto root now :slight_smile:

Edit: …and rooted!
Root part was fun and pretty straight forward :wink:

thx @irogir ; it was a nice box

as always, pm if stucked, but please provide “precise enough” info before asking so I don’t spoil

Hi all,

Rooted. If you need some help, just tell me for hint.

gg wp

1 Like

Sheesh, I’m having some trouble getting foothold. Fuzzing inputs, scanning with dictionaries, all bunk so far. Maybe its the wordlist I’m trying to use

Alright, I liked this box, but it also annoyed me so I’m going to share a bit:

The main page gives a clue on the type of attacks that should be tried on this machine… It is in fact a very basic vuln, but it’s a little hard to figure out. I used a popular directory/file finder to find the injection point. The results might seem benign, but pay attention of the status/size of results (as mentioned previously in this thread). I’m sure you’ll find right file using a common list. Secondly, I used a simple BASH loop and a popular list to find potential injection parameter vulns. The server will give clear indication once you found something that it thinks is suspicious. Once there you can google for well known techniques. If you did your attack correctly you should be able to get a glimpse of stuff on the filesystem.

Next you’ll have to DO A LOT enumeration. This is the portion that took me hours and hours since I did it very slowly. DO A LOT enumeration. Read a famous file to get a username that you can use. DO A LOT enumeration. It’s possible to guess creds using with the username. DO A LOT enumeration. Once creds are guessed, log-in and change your permissions. DO A LOT enumeration. Send an attack file to the victim… I wasn’t able to get a rev shell (which was odd considering the RCE ability) so I slowly looked through practically the whole file system. DO A LOT enumeration. You’ll eventually find a file that you can bring back to your attack machine. DO A LOT enumeration on the file(s) to reveal some juicy information.

Do your normal assessment of priv esc for HTB machines. Notice a file that you can run as root. Check the file permissions associate with files created when running that program. The file permissions were a clue for me. Think timing.

1 Like

Not so much enumeration.

No enumeration. it is the first thing to check using this type of vuln.

Simple guess. common mistake.

Just login and explore, try everything, observe output and make change.

first leak the source codes to how the uploaded filename is composited, then upload RCE shell and get the url. this is the critical part, related to the machine title. (out-going traffic blocked)

use a common automation tool to find the file for you. (upload the script first)

noticing the hidden folder, it is obvious where to look for hidden info.


For root, i don’t think it is releated to timing.
you can CREATE file as …

1 Like

Hey i am looking at the response codes from dirbuster they don’t seem to be interesting all i am getting is 2- 200 OK responses from image and login.php and a bunch of 301 302 and 403. what should i be looking for?

(Status: 200) [Size: 0]
what is this type of page used for? how to make it output anything? keep enumeration.

image.php looks interesting but I don’t know what to do with it. I tried upload files using curl but they dont seem to be uploaded

Try fuzzing parameters, you’ll get an error message when you’re on the right track

1 Like

bro which wordlist did you use…?