Vault

1246713

Comments

  • I have not visited the forum here for a while now, and I don't think I will again any time soon. It is rather disappointing to see how many spoilers there are on a box that is not even 48 hours past release yet. You guys are practically telling everyone how to do the whole box.

    • end of rant / carry on....
  • That's a fair opinion. Like I said, feel free to report it, it won't bother me at all. My intent is to help people understand the general tasks that need to be accomplished so they don't waste hours downloading and messing around with a random iso image, for instance. I don't think people really learn anything by wasting time with rabbit holes (even if they're unintentional).

    --Skunkfoot

  • edited November 2018

    @Skunkfoot said:
    That's a fair opinion. Like I said, feel free to report it, it won't bother me at all. My intent is to help people understand the general tasks that need to be accomplished so they don't waste hours downloading and messing around with a random iso image, for instance. I don't think people really learn anything by wasting time with rabbit holes (even if they're unintentional).

    People definitely learn something wasting their time with rabbit holes. Whether it's a positive experience or not, it doesn't necessarily mean they're a waste of time. Rabbit holes hone critical thinking and are a real world problem.

  • @0x29A said:

    @Skunkfoot said:
    That's a fair opinion. Like I said, feel free to report it, it won't bother me at all. My intent is to help people understand the general tasks that need to be accomplished so they don't waste hours downloading and messing around with a random iso image, for instance. I don't think people really learn anything by wasting time with rabbit holes (even if they're unintentional).

    People definitely learn something wasting their time with rabbit holes. Whether it's a positive experience or not, it doesn't necessarily mean they're a waste of time. Rabbit holes hone critical thinking and are a real world problem.

    Good point :)

    --Skunkfoot

  • edited November 2018

    For example, if someone wasted six hours digging through an ISO, maybe they'll think twice about doing that again next time they run across one and mark it low priority. Maybe they'll take note about what the ISO contains (could be a hint) and just continue on. Maybe they'll learn how to md5 or sha1 the ISO file and see if it's a stock image. If it's not, maybe they'll learn how to diff the ISO file with a stock ISO so they aren't forced to dig around the entire thing.

    Similar lessons may be learned from just about any rabbit hole.

    Look at IppSec's videos and how quickly he dismisses most rabbit holes. You think he does that in practice? I do. How do you think he learned such intuition?

    Regarding things like login rabbit holes: at each layer in the hacking process, you should follow the standard steps. The first being recon. For example if you see a login form half way through your recon process and you immediately start hitting it with a brute force, you've just violated modus operandi. It's not until that doesn't even work that you continue your recon...so why not have continued that in the first place in order to gather all of the puzzle pieces? I like to call them "dots." Once you have all the dots, you'll have the beginning of your attack surface graph. You can start performing more systematic research on each of their attack vectors, forming relationships with other dots, and determine routes to your final goal. Finally, you can map out the shortest cost, least noisy, shortest path, etc to reach your goal. Most, if not all, of the rabbit holes at this point will be obvious in your graph.

    Learning how to be pragmatic and how to frame your problems accordingly may not always save you time, but it will save you the headache of guessing and working with unknowns and eventually dissolve your reliance on script kiddie tools and methodologies. Most importantly (imho), it will make you quieter in real life encounters.

    Edit: Slightly off-topic rant: To all of the cheaters out there: This is a learned skill. A talent. An art. And it's required. If you request help from someone and they provide a spoiler, either discard it or learn from it, don't live by it, and certainly don't pass it on. If you must (e.g. team member, close friend, or something), explain to them what you learned from it rather than just copying & pasting the solution, because that does neither party any good. Plus, spending the extra ten minutes it takes to digest the solution and explaining it to yourself and then to your friend will totally be worth it, trust me. For example: Someone asked me for help on a simple binary exploitation. I could've just pasted him my ~50 byte payload and maybe tried to answer some questions following that, but instead I took 20 minutes out of my day and wrote a fairly detailed write-up specifically for him on how it was done. It taught him how to do it, I learned a couple things merely explaining each individual step, and if he ends up sharing it, so be it... there's no copy & paste solution, just reading material for others. Sure there's a leader board, but we don't -- shouldn't be measuring epeens here, we're all intellectuals. We should all think of ourselves as students and teachers. Do your part in the community. Learn together!

  • edited November 2018

    @0PT1MUS said:
    I have not visited the forum here for a while now, and I don't think I will again any time soon. It is rather disappointing to see how many spoilers there are on a box that is not even 48 hours past release yet. You guys are practically telling everyone how to do the whole box.

    • end of rant / carry on....

    I reconsidered, maybe you're right, I forgot how new this machine is still. Removed my post. :)

    @0x29A said:
    For example, if someone wasted six hours digging through an ISO, maybe they'll think twice about doing that again next time they run across one and mark it low priority. Maybe they'll take note about what the ISO contains (could be a hint) and just continue on. Maybe they'll learn how to md5 or sha1 the ISO file and see if it's a stock image. If it's not, maybe they'll learn how to diff the ISO file with a stock ISO so they aren't forced to dig around the entire thing.

    Similar lessons may be learned from just about any rabbit hole.

    Look at IppSec's videos and how quickly he dismisses most rabbit holes. You think he does that in practice? I do. How do you think he learned such intuition?

    Yeah good point, I'm pretty I actually learned how to check the md5sum from a rabbit hole I was exploring haha. And IppSec actually goes down some rabbit holes just to show why they're rabbit holes!

    --Skunkfoot

  • OK i am in the first SSH but from here i dont have the knowlege to proceed to the next server. someone a link for me where i can study the next stepps?

    SekIsBack

  • And rooted! - What a fun box, I really liked the whole jumping hosts part.
    The only downsite: As this is a new machine, so many people mess with things, or even do destructive things like nuking the home directory and so forth...I think it is time for me to get VIP and try those retired boxes.

    avoidy

  • edited November 2018

    Could anyone give me a way? I have gone to the page for uploading and have bypassed the filter but then when I move to /up****s/ directory and type (name of file).php or full name including those character it won't show up tells 404

  • @Divyanshu said:
    Could anyone give me a way? I have gone to the page for uploading and have bypassed the filter but then when I move to /up****s/ directory and type (name of file).php or full name including those character it won't show up tells 404

    Try other bypass techniques

    my4andle

  • @0PT1MUS said:
    I have not visited the forum here for a while now, and I don't think I will again any time soon. It is rather disappointing to see how many spoilers there are on a box that is not even 48 hours past release yet. You guys are practically telling everyone how to do the whole box.

    • end of rant / carry on....

    Agree - general hints have been too detailed lately almost to the point where it becomes a walkthrough. I feel everyone needs to spend some time on the box before figuring it out. I think it'll help cut down on the "i see a login page, let me bruteforce everything" approach

    Nothing wrong with helping out however! :)

    fnitepresident

  • Ok I am at the last stage but can not figure out what to do with the v.n stuff ....

  • got to the 1*******.4 machine and VP and DS page.. no ideas how to proceed, please point out a place to study for this step?

  • @0x29A said:
    I could've just pasted him my ~50 byte payload and maybe tried to answer some questions following that, but instead I took 20 minutes out of my day and wrote a fairly detailed write-up specifically for him on how it was done. It taught him how to do it, I learned a couple things merely explaining each individual step, and if he ends up sharing it, so be it... there's no copy & paste solution, just reading material for others. Sure there's a leader board, but we don't -- shouldn't be measuring epeens here, we're all intellectuals. We should all think of ourselves as students and teachers. Do your part in the community. Learn together!

    For me, this is the best thing about HTB. I have certainly had times where something has stumped me (often stupidly obvious things as well) and I've asked for help. I can't tell you how grateful I am if someone can explain the solution to me, rather than give me an answer. If I can then understand it well enough to explain to someone else, all the better.

    On the whole, everyone can approach HTB in whatever way they want - it doesn't affect me. If they are in a rush to get every box and just want the flags handed to them, I don't mind. They have as much right to experience it that way as anyone else. However, for me, I want to learn new things and explore ways of thinking I might not be used to.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • am trying>>>

  • For root, do I have to bypass something?

  • need help on final stage of this machine if anyone could give a hint?

  • anyone else having issues with this on eu1? im not even able to ping it.

    Opaque

  • Always... always... write down what you try. Finally found the folder lol with a little help from taking a break, some sleep, and johnnie walker. Don't overthink it. It is very easy. just play with the things that stick out.

  • can someone pm me, i have a question and i dont know how to ask without giving a bunch of spoilers lol

    Thank you.

    Opaque

  • Need help with tunnelling. Can someone pls PM.

  • where is the user.txt

  • Can someone in here send some good tunnelling material as including me many others are facing a bit problem in tunnelling..
  • Can some1 pm me for a hint regarding root? thanks

  • Hello there,

    I have a shell.
    I have a tunnel.
    I found a webpage on .4
    I found a file called 12**.o***.
    I'm thiking this is a rabbit hole ?

    Deleite

  • @deleite said:
    Hello there,

    I have a shell.
    I have a tunnel.
    I found a webpage on .4
    I found a file called 12**.o***.
    I'm thiking this is a rabbit hole ?

    What else did you find? Have you googled something related to it?

  • edited November 2018

    Spoiler Removed - egre55

    Deleite

  • how do you move from D** to Vault?

Sign In to comment.