onetwoseven

191012141519

Comments

  • edited May 2019

    For the last step of root, it seems like it can be done by combining some readily available tools on a typical Kali box, or you can roll your own (trying not to give a spoiler here) -- I've gotten this as a hint. I have already tried the former and now I'm trying the latter. I have my own custom solution that should work, but seemingly due to the intricacies of a** I get some weird behavior based on what I use as a "backend".

    Could someone that also wrote their own solution perhaps give me a message so I can discuss my solution with them and perhaps learn why mine doesn't work yet?

    I also had some weird behavior reaching a certain port earlier on the box and I'm starting to wonder if this is related to my problems with the root part.

    Edit: Got root. There is no need to write your own custom solution for the p**** server part like I did, it only complicated everything a lot. Thanks to those that decided to help me!

  • Hi. Need a help with privesc part on onetwoseven box) PM me please)

  • Rooted. Good workout for the brain.
    PM if u need a nudge.

  • edited May 2019

    Boys... I need your Help.
    I'am at that point where i'm supposed to connect to the high port to the server...
    OK! Done (using s** tu**el)... BUT.. when i'm trying to go to the website BAM! White Blank page...
    No errors occurs... Absolutely nothing...Trying to play around with that searching for some response except "not found" but nothing... I m lost.. i can see some directory but they're can't go anywhere.... 60080 SKITTLES TO THE ONE WHO HELP ME!

    Edit: Got the user.txt... Painfull... But its ok! It's part of the game... No lets back on track to get root... Thanks to @m4xp0wer and @Razzty for the nudges! <3

  • Holy hell - never again. During this box I had all mental states - from stoic, madness, happiness, depression and boredom. But learned a lot - probably more than I would do on few lesser boxes together.
    Thanks to @s4d0w and @M4xp0wer for giving me nudges - respect to you my friends. Without you guys I would never do it on my own. Thank you again.

    Guys, keep fighting. Feeling of relief after this box is refreshing :+1:

    Razzty

  • Hello,

    I am stuck on the initial foothold. I have managed to find the credentials, sftp in and even tunnel but I cannot sftp in on the high port with the found credentials or access the admin panel.

    I have also tried all of the commands within sftp and found that none of them work. I then tried to upload a reverse shell script and that wouldn't do anything either.

    So, now I am stuck. Please PM me for any hints. Thanks.

  • edited May 2019

    Well can I get help in plugin-upload, because when I'm submitting my plugin it is giving me 404
    I think I'm at last stage of pwning it, need some help please pm

  • Spoiler Removed

  • edited May 2019

    Just rooted..
    A very fun box, and very original in almost every aspect and every step, especially the shell and root process..

    Thanks a lot @jkr for this awesome box, keep making similar boxes :)

  • for root part, google a-g MITM helps a lot .
    another tip is : Build a real D** server rather than edit hosts .
    Thanks a lot @jkr for this awesome box. it's so nice and clean.

  • edited May 2019

    Root obtained.

    Thanks @jkr and everyone for their help.

    Hit me up if you need a nudge though this topic already provides plenty of hints.

  • What's with the blank page as a response at the upload?
    I think i am making the necessary changes on the "client-side" part.

  • I got the information that I needed from the strange extension file. I know that I have to tunnel. However, I am not entirely sure what the right command is, as I get a message saying :

    service allows **** connections only

    Any help will be appreciated.

  • edited May 2019

    Type your comment> @badwolf said:

    I got the information that I needed from the strange extension file. I know that I have to tunnel. However, I am not entirely sure what the right command is, as I get a message saying :

    service allows **** connections only

    Any help will be appreciated.

    You need to create the tunnel but not necessarily keeping the connection open, there is a specific parameter for that ;)

  • edited May 2019

    Type your comment> @avetamine said:

    You need to create the tunnel but not necessarily keeping the connection open, there is a specific parameter for that ;)

    What? That makes sense, however I couldn't find such parameter in man ssh. I have to look more carefully

  • edited May 2019

    @badwolf said:
    Type your comment> @avetamine said:

    You need to create the tunnel but not necessarily keeping the connection open, there is a specific parameter for that ;)

    What? That makes sense, however I couldn't find such parameter in man ssh. I have to look more carefully

    Its a paremeter that is you commonly used along with port forwarding where command execution is not required, thats all i can say from here. ;)

  • Oh, right. I get it now. I know what parameter you refer to. Thanks

  • I am doing this box and would need some hints on the initial foothold. I have some info but I dont know how to proceed

  • Im an utter noob, been spending 5+ hours trying to get user.

    anyone be so kind to PM me just to point me in the right direction?
    I dont want straight answers, just directions :)
    I can also explain what I have done (tried rather) and anyone can correct me or assert my progress in the right directions.

    Thanks!!

  • Type your comment> @gregX01 said:

    I am doing this box and would need some hints on the initial foothold. I have some info but I dont know how to proceed

    1. one POST params could be exploitable for OS commands
    2. By using 1st hint, you could download two .pem files
    3. combine them to generate .pfx file (Convert a PEM Certificate to PFX format)
    4. use hint3, to be able to access web application on higher port
    5. on higher port, you will get access to ssh later nfs
      ....
  • I am at the high port panel with no creds. I cannot figure out what to use within S**P. Can anyone throw me a bone? Or a PM?

  • edited May 2019

    done.

  • Thanks @billycontras, @Chrix87, @m4xp0wer and @Wingadium for all the tips and help for me to get root. Box was really hard. To anyone who needs help, feel free to pm me :) good luck have fun

  • Type your comment> @azasdf74M said:

    Type your comment> @gregX01 said:

    I am doing this box and would need some hints on the initial foothold. I have some info but I dont know how to proceed

    1. one POST params could be exploitable for OS commands
    2. By using 1st hint, you could download two .pem files
    3. combine them to generate .pfx file (Convert a PEM Certificate to PFX format)
    4. use hint3, to be able to access web application on higher port
    5. on higher port, you will get access to ssh later nfs
      ....

    I think you are in the wrong thread. Those hints are usefull for another active box. i whish the best of fortunes to you!

    Cheers!

  • edited May 2019

    Good box, but it's definitely been frustrating... gone through quite a lot but not able to upload the plugin :/ Would like to get some tips on how to bypass the disabled addons upload (Does it have something to do with the strpos R******_U** and the preg_match check?)

  • What a fun box! Finally rooted. PM me for Hints.

  • Figured it out, time for shell> @D4nch3n said:

    Good box, but it's definitely been frustrating... gone through quite a lot but not able to upload the plugin :/ Would like to get some tips on how to bypass the disabled addons upload (Does it have something to do with the strpos R******_U** and the preg_match check?)

  • edited May 2019

    Stranded at the end of the tunnel, with a login screen to the admin panel.

    So far so good, also found a couple other interesting files and directories. So, can you find some credentials somewhere for that panel?

    Or should I try to work without any credentials. Might be possible, but I don't quite know how, especially since I can't look at the important files in that directory... Any help would be appreciated.

    Or do I even need to run Hydra against the admin panel which might be tricky, due to the tunnel...

    Cheers,
    WTW

    Hack The Box

    OSCP | CEH

  • Type your comment> @walksthewires said:
    > Stranded at the end of the tunnel, with a login screen to the admin panel.
    >
    > So far so good, also found a couple other interesting files and directories. So, can you find some credentials somewhere for that panel?
    >
    > Or should I try to work without any credentials. Might be possible, but I don't quite know how, especially since I can't look at the important files in that directory... Any help would be appreciated.
    >
    > Or do I even need to run Hydra against the admin panel which might be tricky, due to the tunnel...
    >
    > Cheers,
    > WTW

    Credentials are in file stored on the tatget box
Sign In to comment.