Type your comment> @anamus said:
How on earth do you get anything through the uploader…?
Keeps on showing ‘success’ but files don’t appear anywhere…
If you know how the scripts work, you should be able to tell what happens to your upload - and what doesn’t 
@jkr that root was awesome!! Thanks a lot for this box!!
Can someone confirm, are we supposed to be able to get PHP to execute for the intial backdoor? Or something else?
got stuck after SFTP access … any hints what to do next. and i’m not able to upload shell in sftp. stuck!!! need help.
What a ride this weekend was for me seeing my box submission being released.
I did not think about something like stage fright before 7 UTC on Saturday but I must admit although I tested the box and tried to check every detail I was not sure if the box mechanics will work out. Also the longer I waited for the box to be released the more I was thinking if you as the HTB community might like the box or not.
I must say I was happy when the first blood for user was spilled so I knew someone found a way in and when @mprox got first root blood (to me astonishingly and impressive fast - kudos to you!) I was really delighted it all worked well.
During the first 6 hours I also had a look onto the server on eu-free-1 and sometimes watched and enjoyed watching you guys doing all the things on the machine. To me it looked kind of responsive most of the time - with the first reset after 4 hours as an additional good sign to me. I quickly learned that the HTB community is a real creative one finding the way to user and root. Good luck to all who are still or are not yet on their journey.
The very positive feedback I have gotten so far in this thread and via PMs (from the people who solved it and from those who gave some preliminary feedback while still on their way) makes me even happier! I really appreciate this very much! Thank you all for your support.
Hello
someone could help me tell me what to do at sftp,
Greetings
Finally root. Really nice box @jkr and root was just crazy fun
It was a great box, especially the root part. Thanks for the box @jkr
I would appreciate any hints after sp . I believe it has to do with .ht**** but no luck so far.
Oh… I really liked the way to gain user xD
Moving to root now.
Edit: Rooted! \o/
How in ■■■■ did you guys find a possible not public linked upload page ? As soon as I try to enumerate anything using gobuster or others, i run into WAF.
any help for extension php after uploaded by sftp ?
Please, can anyone PM me a hint how to correctly upload some .php as a plugin ?
I am trying to figure the correct POST request (in RESTClient for Firefox) for more than two hours, but I am only getting “Unknown plugin type” and no file is uploaded.
Or better to say not plugin, but Addon
is sftp rabit hole ?
No, you certainly need sftp. At least at the beginning.
Anyone can PM me with a nudge on how you found the plugin/addon/upload whatever part that you guys are talking about ? I run into WAF as soon as I do some enumerations, even nikto stops after a few seconds.
Type your comment> @PavelKCZ said:
No, you certainly need sftp. At least at the beginning.
i have access but the problem is when I upload php file just display source code any help for foothold ?
I have a shell as w**-a****-d***. Any nudge on priv-esc?
Can’t understand what I’m missing after getting access to sftp.
I’ve tried to look at the sftp commands but nothing caught my attention, can someone put me on the right path?
What an amazing box!!! Thank you @jkr for putting all the effort!!
I loved that box, especially the root part!! very original and very exciting!!
edit to provide some (as subtle as possible) hints for the box:
For User:
The box gives you creds and access, no need to overthink that. Once you’re in, help yourself and explore what you can do. Try everything. You might not be able to view certain file extensions, so try “re-branding” them. You’ll see the breadcrumbs popping out, so all you have to do is follow them.
If you try to get to some high port, remember there are ways to forward traffic around in your box…
Trying to upload stuff might be tricky there, so make sure you examine the necessary element.
For Root:
Go through the normal enumeration and it will stick out. It’s not that easy to root it with just a command from GTFOBins so think what you can do. If you find that relevant blog post, read it, make sure you understand what each step is doing and think what applies in this box and what doesn’t. Blindly following it will probably create more frustration… You’ll have to get your hands dirty to configure and serve what you carefully prepared, so this step involved (at least in my case) a lot of debugging, but it so rewarding at the end!
Hope I don’t confuse people with my hints, as english is not my first language.
