onetwoseven

1101113151619

Comments

  • Hey all

    I'm having real trouble with the upload part of the box, been trying for a week. I've been trying to use the oma**** plugin to upload my file and all i get is "200 ok".

    I think It might be something to do with the p***_m**** part of the code, but If it is I don't know how to do it.

    I've been using the default upload options from the menu page just modifying the 'action' and disabled bit.

    Any help would be greatly appreciated.

    Thank you.

  • edited May 2019

    Can someone please PM me about the upload part? Getting "Not found" on the uploader.

    Edit: Nevermind. Trying for root now.

  • Type your comment> @Rang3r said:

    Hey all

    I'm having real trouble with the upload part of the box, been trying for a week. I've been trying to use the oma**** plugin to upload my file and all i get is "200 ok".

    I think It might be something to do with the p***_m**** part of the code, but If it is I don't know how to do it.

    I've been using the default upload options from the menu page just modifying the 'action' and disabled bit.

    Any help would be greatly appreciated.

    Thank you.

    Take a look at the REQUEST_URI.
    Take a look at how the URI looks like when do you do a GET request, when you download one of the files.
    Its easy once you figure it out i've struggled also for some days reading and expeirmenting and eventually i asked for some hints and it was obvious, well not so much.

  • What a beautiful machine 10/10. Congrats @jkr :)

    Tips in this post are enough to solve it:

    USER

    Pay attention to IPs used when trying to reach the high port, I failed one in my s** command and a 403 error was continuously showed.
    After that you can get user.txt don't need a valid shell.

    ROOT
    This is not a one command machine to get root.txt. You have to understand well how some basic unix command works and how to take advantage of it, Google is your friend with a nice article but you need some modifications.

    leonishan

  • Wow. This box put me through some major challenges. As others have said, a lot of what needs to be done is not a simple case of one or two commands and you're in, you do have to do a lot of prep before getting anywhere in this box.
    Hat's off to @jkr for a challenging box.
    Special thanks to @ZerkerEOD for his massive help in getting both user and root, and also to @raiden99 for giving me some much needed pointers during my chaotic run for root.

    OK, here come the hints.

    Initial Foothold
    - One type of file can be viewed as another type.
    - Zelda's hero can help you see things that are out of reach.

    User
    - Was that user there all the time?
    - How did I get access in the first place?
    - How did that process work?
    - Would it work for others?

    Root (Deep breath)
    - I hope there is some light at the end of the ...
    - Browser might need a little tweak.
    - Now, how do all these scripts work? Step by step!
    - It's oddly satisfying when you have to take things apart and build things from scratch.

    I am happy to help people out, but considering that after I offered help with LaCasaDePapel, I received over 300 messages in less than two weeks. I will still help people who need it, but a couple of conditions:
    1 Use the forum to send me a private message or find me on Discord (Don't write on my wall or use the private message function on the HTB site as I don't get notified).
    2 I try to respond as soon as I receive messages, but I may leave it until the end of the day and do them in bulk, so be patient.
    3 Tell me your current status: where you currently are, what you have done, what you have tried, what you would like to confirm. I want to avoid spoilers as much as possible.

    Good luck to those still working at it!

    Hack The Box
    Discord: AzAxIaL#8633

  • hi all, can i PM someone to chat about initial foothold?

  • edited May 2019

    Hey all, After tunneling SSH, when browsing, I just get a blank page when hitting the right port. Any advice?

    edit: NVM, sorted

    If someone was helpful, don't forget to give +1 Respect.
    Arrexel

  • Am currently stuck with figuring out how to bypass the gpg checks with a-g u*****. Any tips would be greatly appreciated!

  • ok had access through tunnel to high port yesterday now im getting 403s. do i need to edit some permisions through sftp?

  • edited May 2019

    I'm stuck in the higher port. I guess missing something, can get a guide please?

    Edit: found

  • Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)

    Anyone who is familiar with this error please PM me

  • edited May 2019

    Something weird is happening, I'm trying to sftp again with the default user/pass and keep getting permission denied. Reset the box, same issue. Yesterday it was working just fine. Has anyone experienced this? Going to try with the second user I guess.

    Edit: the second "limited" user (which I gathered from my enumeration yesterday) works fine. Weird.

    lduros

  • Type your comment> @PavelKCZ said:

    One thing I would like to know. Is there someone with the OSCP certification ?

    How hard or simple is this box compared to boxes which are used during OSCP certification ?

    That's pretty much on the harder end of things I'd say. 80% of the lab boxes are easier that that. Also the exam boxes, which resemble the lab boxes in many ways.

    Hack The Box

    OSCP | CEH

  • When I try one IP, I'm getting 403 forbidden after tunneling. When I try a diff IP, I get a blank page for the page where you log in (it'll also inform me if a page doesn't exist). Can anyone give me a hint? Thanks.

  • Stuck at the upload part now, getting a OK/200, but nothing happens. Think I got most of the parameters right. Funny that you can see the part that downloads stuff without the ReRu, whereas the part that uploads the ReRu refers to cannot be addressed directly and throws an error.

    Considering a reset, but there is still ots-mODVhZTM on the box, too. Are you still working on it?

    Also thanks to AzAxIaL, who showed me a new trick...

    Hack The Box

    OSCP | CEH

  • edited May 2019

    [solved question about uploading]
    If u need help with addon uploading part - feel free to PM me.

  • edited May 2019

    Splitting of file XXX failed as it doesn't contain all expected parts 0 1 0

    Has anyone encountered this for the privesc? I'm trying to figure out what's wrong with my R****se. I'm obviously missing something, but I'm not sure what the expected parts are. I guess I'll check from the real one. Any hint would be appreciated!

    Thanks,

    Edit: nevermind, I figured this piece out by installing the target OS in a VM and playing with it. The output and logs you can get by being root for a PoC is very useful. Recommending doing this in a VM first.

    lduros

  • 🥴 Finally got root on this box. Even though the privilege escalation path is quite clear it was still a struggle for days (if not weeks - I did some other machines meanwhile to get a break from this one)... This was frustrating, but this is the way you learn things! Never did such an attack before! Thanks @jkr for this experience!

    Hint for PrivEsc: Victim machine does while you go for the PrivEsc command(s) and rebuild that. There is an interesting webpage available describing this attack. Just adopt it!

    And don't forget to TRY HARDER! 🤪

  • What a ride guys, loved this box.
    My 2 cents for user and root.

    User: that username is always the same, how the hell is generated? try to find a way to understand it and you will be fine.

    Root: well, prepare to try again and again, the box wants you to tell her that connections are coming from localhost, find how to do it and once you are in there is only one path to root, it is in front of you once you understand something about "dangerous" permissions.

    Keep the good job @jkr !!

    Cheers

    image
    Click here for HTB Profile: You are welcome to contact me for a nudge, but if I help you, please consider giving respect.

  • edited June 2019

    If your python http server gives 404 on files which you definitely have - consider switching to apache with proxy.py.

  • Quite annoying but still interesting machine that seeks a lot of steps to complete. Msg me if you get stuck

  • I'm stuck. I have the S**P credentials from the site, and I'm able to login and upload as I wish, but I can't seem to run anything beyond the HTML page. I've tried all the options in the help menu, but none seem to make any difference on wither the site or S****P.

    I know there is an admin page at a higher port, and I'll need to do some S** tunneling to get to it. but When I try it gives me "This service allows s**p connections only.

    What am I missing?

  • Type your comment> @TheZeroCode said:

    I'm stuck. I have the S**P credentials from the site, and I'm able to login and upload as I wish, but I can't seem to run anything beyond the HTML page. I've tried all the options in the help menu, but none seem to make any difference on wither the site or S****P.

    I know there is an admin page at a higher port, and I'll need to do some S** tunneling to get to it. but When I try it gives me "This service allows s**p connections only.

    What am I missing?

    Your next step is kinda L-ook F-or I-nformation like. Search for the right symbol to the right directory.

  • edited June 2019

    Edit: posted in wrong thread

  • This is one of the best privescs I've seen in my life. This box took many days for me to root but it was totally worth it.

    PM For hints :)

    Hack The Box
    -OSCP-

  • Thx @jkr for your box.
    Thx @groganard for user.
    Thx @ZerkerEOD for root.
    Hack the next...

  • Hi All,
    anyone able to help me with root? Pretty sure I have found the correct attack vector. Just a bit stuck on where to go with it.

    Thanks :)

    If someone was helpful, don't forget to give +1 Respect.
    Arrexel

  • I could really use a hand with the upload portion. I've reviewed the scripts, and I'm pretty sure I know what I have to do to get my own plugin uploaded. I'm just stuck on how to format the request via B**** S****.

  • I am getting very angry with the attack vector to get the root flag, I cannot make it work!!!!!!

  • Hey all.

    I finally got root. This is probably the hardest box I've done.

    This is the first box that I've asked people for help and I just want to say that the community has been great. helpful and patient.

    I want to thank @avetamine for help getting the upload and @AzAxIaL for help with getting root.

    Thanks for a great forum.
Sign In to comment.