Official UpDown Discussion

This was actually a really fun box and I highly recommend it! If you enumerate properly you should have no problem with user or root. Just a few extra steps for user that make it a little challenging, but worth it!

As everyone has said above, root is actually a handout…

(Knowing the phrase for something special, showing the ways to somewhere great.) are you meant about the .php file can you pls specify it?

I couldn’t get the php reverse shell, can you help me with a hint

could you pls help me with a hint? i was stuck with getting connection my proc_open code was not exactly working :disappointed_relieved:

Rooted! Nice medium machine with interesting custom vuln foothold.
There are my hints:


  • Enum, enum, enum… Gobuster users neglect recursive fuzzing (like me) and can get stuck for a long time because of it
  • When you finally got the code you don’t have to invent anything, just give the script what it wants
  • P** has a lot of extensions, but were they all banned?
  • Try to delay the script to do your dirty deeds


  • When you find and try it, you will understand how to use it. Py****2 is very different from Py****3


  • So base, gtfobins to the rescue

PM me if you need a nudge :slight_smile:

Hello ,
I have the private key but it’s IMPOSSIBLE to use it to connect.
I’m getting an error “in libcrypto” when trying to connect using ssh …

Pretty easy !

Nice box. Thank you @AB2 !

FOOTHOLD : check that apache and what’s filter. Something can run.
USER : just grab the key with race condition.
ROOT : just search for vuln and try to forge an input.

1 Like

Rooted the box, still have a question though. Initially I tried to get foothold another way, which didn’t work and I’m not sure why, could someone help me with explaining why?

I understand that Apache uses .htaccess on a per-directory basis [1], therefore I tried doing some AddType/AddHandler magic; it did change things (I received HTTP 500; internal Server Error-responses in that directory) but I couldn’t make it work the way I wanted. Why is this? Could it be done?

Many thanks! :heart:

Update: I got it to work :tada: !

I think it’s not the intended path, but… For everyone who might be interested, see below (I tried to keep hints out as much as possible).

The .htaccess-path is more complicated but it can be done. If you’d want to do it, you need to:

  • a) construct a valid .htaccess-file, otherwise the page will throw HTTP 500s regardless;
  • b) still get that time-delay stuff in there (specific for this box-challenge), which (afaik) is only possible by controlling an entire newline in said file.

These things can be accomplished by, for example, creating multiline comments in .htaccess.

Feels good to challenge yourself and continue to learn after you rooted the box already.

Hey, I copied dev’s key but when i try to connect to machine with that key it always want’s a password.

Wow just spent the last day doing my stuff on the wrong thing for foothold. Decided to enumerate more and found the hidden place. Definitely need to add that enumeration technique into my routine for the future so I don’t miss stuff. rip

Need some hints for direction.
I have found the subdomain and how to bypass the 403 but I am not sure how to proceed from there for foothold as enumerating more does not really yield any results.

you can ask me :smiley: