this post is about help vm from hackthebox.eu.
- wfuzz’ing helps 🙂 with help. it will reveal a piece of vulnerable support software there. searchsploit for it, even patched version contain vulnerability.
node is not much helpful.
- in my opinion, you can add some tweaks to exploit. just to not be confused by timestamps and their hashes.
- i’ve got some time to browse source code, so relative path of your uploaded stuff is /%vulnerable_soft_folder%/uploads/tickets/.
- inspect database. there’re couple of useful hashes, that can be bruteforced and put together with some /etc/passwd records. after correct guessing, whose pass is it, you should have low-priv ssh access and user flag.
- root can be achieved by searchsploit’ing kernel version. there’s an exploit, which brings a shell immediately.
good luck and try harder.