• euzeuz
    edited January 2019

    Got user, followed the trail so I could switch user twice, but now I'm kinda stuck. I assume I have to use the binary that's not t**p to read the flag from root folder, right ?

    If someone can pm me about my assumption, that would be awesome !

    EDIT: got root, thanks to @clmtn for confirming me I was on proper tracks and @Nofix for the awesome ressource !

    Hack The Box
    Always giving respect to people who guided me properly without spoiling .

    Think everyone should do the same.

  • Anybody else get a root shell? Wondering if someone did it different than me

    Hack The Box

  • The webpage doesn't even load for me, what insanely small detail am I missing here...

  • Ok, this is an odd request. I got the ldap*1/2 passwords, the root flag and the user flag, but I never figured out how to escalate from the initial shell. Would someone mind PMing me and walking me through the proper way I was supposed to do this? I know I didn't do it the right way.

  • I need hint, stuck on getting root. I am logged in as ldap1. I read the man page for op****l twice. Can't figure out away to use it to read files

  • edited January 2019

    Got both flags but no root reverse shell

    Also, when people have rooted a box please can they remove any access they created (like an account with root privileges that I could just su to without a password. Although I didn't use this to get the flags).

  • Anyone got tips/hints for initial enumeration? Done initial nmap etc, but not sure on where to go from here for this box :P

  • Drop me a dm and i see what i can do to help


  • Got root + root shell

    Fairly straight forward

    Standard nmap enumeration

    Initial foothold
    Read whats in front of you clearly - specifically what runs on port 80 !

    1st user : The box name is a dead giveaway as to whats going on. Leverage your attack internally, might take a while to get want you need - try multiple queries

    2nd user : don't over complicate things - a basic list is all you need

    Root flag - look whats in front of you and see what its capable of. If its not behaving how you expect it might be worth specifying direct path (this got me stuck for a couple hours)

    Root Shell - if it can read then it can also write


  • For the last 2 days I have done some queries and looking at the output believe got something. Do you need to decrypt or is it in plain text. Can't get to user access.

  • @safexsal said:
    For the last 2 days I have done some queries and looking at the output believe got something. Do you need to decrypt or is it in plain text. Can't get to user access.

    No decryption is required to get user access.

  • Can anyone throw me a hint, I think I'm at the last step, I have access to the two users, and I can see user 1 has two binaries in their home area that can be executed with enhanced privs over what their account has.

    What I just can't get is the last step of using the T or O binaries to get the flag. I think I need the O file but I've tried reading the flags file as in as an input command but get access denied.

  • I'm pretty sure that o****** should be used, but stuck on permission for reading.
    I need a hint - this binary should be run from other script/program? or directly?

  • Finally rooted the box, all you need is in this thread. For popping a root shell, if you can read then you can write! Happy to provide hints for anyone stuck.


  • Hi!
    Rooted, but actually didn't get what is happening when the creds of ld****ser2 are exposed. What is causing this? which process? Does someone know?

  • Rooted this machine if anyone need help feel free to pm :)
  • can not capure any thing with **dum. Can any one help me with the command ?

  • edited January 2019

    Got root. Wasted many hours just because of damn wrong path …

  • Anyone can pm me for initial user, im kinda stuck (have some data from t****p but do not know how to use it, or if it is a deep hole i dig for myself :( Thanks!


  • Thanks to @samsepi0l and @Nofix for hints, it was not so easy as i thought and im glad to help anyone im PM.

  • Any hint about what to do to trigger t*****p on a specific port? I tried navigating on the web, launching features of the web,...

    MP me.


  • Some (hopefully) non spoiler-y comments for anyone stuck.

    Initial foothold - Check the simplest thing you could possibly do on a fresh box.


    • Take a moment and listen to the box, particularly when you look at something that loads slower than expected.
    • Do not over-complicate once you've heard something - the answer is in front you.
    • Do not attempt to SSH with your answer (refused to work for me at least), there's a very common way to change user from your foothold.
    • I couldn't directly move any files between the box and my machine. @waspy comment on page 6 definitely works.


    • As others have mentioned - something is more capable than it should be.
    • When running the above explicitly write every filepath; do not be lazy or it won't work!
    • If you don't know what filepath you're after, check out the end of any of IppSec's Youtube videos, you'll find what you need.

    I'm a scrub but happy to take on PMs if needed.

  • rooted. learned a lot, thanks, if u need help, tell me.

  • Can someone PM a hint for root flag? I got access to both users, got access to the zip but clueless on what to do now. Not getting much wiser reading about capabilities


  • edited February 2019

    I could use a nudge. Only got the initial ssh and a couple sha512 hashes. t*****p gives me nothing useful :/
    edit1: got it, cheers @clmtn


  • edited February 2019

    Would anyone be able to provide a hint for User? Like @sanre initial query I am unsure on how to get the information I need using t*****p

    EDIT: Reached l*******1, now to figure out root...
    EDIT2: Rooted, Thanks for the advise folks!

  • finally got root but still got some questions on why something worked the way it worked

    PM would be nice

    Hack The Box

  • edited February 2019

    Anyone able to help with escalating from the first user? I've ran the t*****p but am getting the same information that I got from the n*** script. I've tried using {*****}* to login as well as the full hashes, but no luck.

    EDIT: Nevermind, make sure you listen in the right places! :confounded:
    EDIT 2: Rooted.. paths are important!

  • edited February 2019

    Finally rooted this box and learned about capabilities :)
    Special thanks to @sanre for taking the time to explain about linux capabilities.

Sign In to comment.