Official UpDown Discussion

kaeru · November 14, 2022, 9:52pm

This was actually a really fun box and I highly recommend it! If you enumerate properly you should have no problem with user or root. Just a few extra steps for user that make it a little challenging, but worth it!

As everyone has said above, root is actually a handout…

shuhaib · November 19, 2022, 5:04pm

(Knowing the phrase for something special, showing the ways to somewhere great.) are you meant about the .php file can you pls specify it?

shuhaib · November 20, 2022, 6:08am

I couldn’t get the php reverse shell, can you help me with a hint

shuhaib · November 20, 2022, 6:22am

could you pls help me with a hint? i was stuck with getting connection my proc_open code was not exactly working

Lnevx · November 25, 2022, 9:54am

Rooted! Nice medium machine with interesting custom vuln foothold.
There are my hints:

Foothold:

Enum, enum, enum… Gobuster users neglect recursive fuzzing (like me) and can get stuck for a long time because of it
When you finally got the code you don’t have to invent anything, just give the script what it wants
P** has a lot of extensions, but were they all banned?
Try to delay the script to do your dirty deeds

User:

When you find and try it, you will understand how to use it. Py****2 is very different from Py****3

Root:

So base, gtfobins to the rescue

PM me if you need a nudge

Clayzes · November 26, 2022, 7:31pm

Hello ,
I have the private key but it’s IMPOSSIBLE to use it to connect.
I’m getting an error “in libcrypto” when trying to connect using ssh …

MinSit · November 29, 2022, 6:18pm

Pretty easy !

dylvie · December 6, 2022, 7:51pm

Nice box. Thank you @AB2 !

FOOTHOLD : check that apache and what’s filter. Something can run.
USER : just grab the key with race condition.
ROOT : just search for vuln and try to forge an input.

htbserge · December 19, 2022, 9:44am

Rooted the box, still have a question though. Initially I tried to get foothold another way, which didn’t work and I’m not sure why, could someone help me with explaining why?

I understand that Apache uses .htaccess on a per-directory basis [1], therefore I tried doing some AddType/AddHandler magic; it did change things (I received HTTP 500; internal Server Error-responses in that directory) but I couldn’t make it work the way I wanted. Why is this? Could it be done?

Many thanks!

htbserge · December 19, 2022, 11:07pm

Update: I got it to work !

I think it’s not the intended path, but… For everyone who might be interested, see below (I tried to keep hints out as much as possible).

The .htaccess-path is more complicated but it can be done. If you’d want to do it, you need to:

a) construct a valid .htaccess-file, otherwise the page will throw HTTP 500s regardless;
b) still get that time-delay stuff in there (specific for this box-challenge), which (afaik) is only possible by controlling an entire newline in said file.

These things can be accomplished by, for example, creating multiline comments in .htaccess.

Feels good to challenge yourself and continue to learn after you rooted the box already.

arham47 · January 11, 2023, 3:21pm

Hey, I copied dev’s key but when i try to connect to machine with that key it always want’s a password.

Gateberg · January 11, 2023, 3:39pm

Wow just spent the last day doing my stuff on the wrong thing for foothold. Decided to enumerate more and found the hidden place. Definitely need to add that enumeration technique into my routine for the future so I don’t miss stuff. rip

Immensus · January 20, 2023, 11:46am

Need some hints for direction.
I have found the subdomain and how to bypass the 403 but I am not sure how to proceed from there for foothold as enumerating more does not really yield any results.

AB2 · February 1, 2023, 9:41am

you can ask me