• Wow, it is definitely one of my favorites. Great box @jkr

  • edited June 2019


  • I am getting this error on running s*** a*** u******* command.
    Writing more data than expected (612 > 611)
    Hashes of expected file:

    Filesize:611 [weak]

    Can anyone help me out please there must be some problem with r***** and p***** files.
    What to do?

  • Hello, can I please get a PM about how to get the rev shell from inside the admin panel?

    I have played around with burp editing the requests I am making to (what I assume) is the upload page, but when I try to add in a boundary to the request it tells me its 400 and is an invalid request.

  • edited June 2019

    If you are having trouble getting user after/before a reverse shell. Be Neo and go back to the source.


  • @ThrashTitan said:
    Hello, can I please get a PM about how to get the rev shell from inside the admin panel?

    I have played around with burp editing the requests I am making to (what I assume) is the upload page, but when I try to add in a boundary to the request it tells me its 400 and is an invalid request.



  • Type your comment> @sh13ld said:

    Who need help in onetwoseven machine PM me

    Neat. Apparently now instead of looking to see whether there's a "1 New" badge to know whether there are new questions, I should instead check to see whether it doesn't say "Most recent by sh13ld". Useful stuff.

  • The script outputs "successfull.y", but is nowhere to be found, I've PM people to know the location and it's not there.
    Any idea what I'm missing?

    OSCP | eCPPT |

  • listening on [any] 4444 ...
    connect to [] from onetwoseven [] 54286
    [email protected]:/# whoami
    [email protected]:/# cat /root/root.txt

    Can't believe I did it. As a piece of advice on root, you might pinhole yourself into thinking it could be an input validation exploit and even going as far as to follow a certain guide on how to do it. Instead, think about how the box is configured and how you can work that configuration to your advantage. Is there any way to fool the machine into thinking you're something it looks to as a source of information?

  • edited June 2019

    great boxx

    Hack The Box

  • Forty-three years later-
    This machine is the sickest and I mean that in the kindest way possible.
    Max-respects, @jkr
    You need anything. Please write me.
    I'll do my best for you.

  • Root was a blast! Solid machine. Go back to the basics :)

    Hack The Box | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • If someone could pm me a hint for the s**-t***** that would me great. I already got all pieces together but can't figure this part out

  • edited July 2019

    Does anyone have any solid resources/articles for the repo part? I have read through several and am really struggling. I have wget resolving, I have signed .deb and everything else. But I simply can not get the target to pull ANYTHING with a-g u*****. pls hlp.

    EDIT: PEBKAC - I was tilted and serving from the wrong directory.
    I can pull packages but they get "held back" at a later step.... respect and beer given to anyone who helps me.

    EDIT again: My GOD. What a doozy. I learnt an incredible amount. Probably the hardest yet most rewarding box I have done so far out of everything I have seen here, in vulnhub and in the OSCP labs.

  • Great box ! What an amazing root dance ! I've learned a lot of things and really enjoyed it ! Thank you !

  • Rooted! It's my favorite box now! Thank you @jkr !

    PM for hints, but try to describe exactly where u are on the box and what you've tried. Don't forget about +respect button:)

  • Having issues getting my tunnel working properly. Can't access the a**** page. I just keep getting forbidden. Can someone please help me with my syntax issues because I feel I am on the right track based off this thread.

  • Hello :)
    I'm stucked at the root part. I got the successfull.y message, but I don't know how to find the file. If someone could help me/ could give me a hint, that would be nice.

  • edited July 2019

    Got shell, but still don't have user flag

  • got root! it's really interesting box. PM for hint

  • edited July 2019

    Stuck staring at the Admin login for the last 2 hours.
    Read the entire forum, and can't find the "file".
    Edit: I'm in. Now stuck at upload part for 2 days.
    Edit: On to root..

  • edited July 2019

    Woof, I feel like a fool. Can anyone PM me with a nudge? I have the initial s**p access and managed to find some creds with **ml***s, but I am totally stuck on actually getting access to the high port. I understand tunneling is involved but I can't see how I can activate it with the privileges available. Thanks!

    EDIT: nevermind I figured it out. To anyone else also having this issue: make sure you actually understand what you're doing with the tunneling command, read the docs.

  • Type your comment> @ZerkerEOD said:

    Type your comment> @PavelKCZ said:

    Check if you do not suddenly have two tun interfaces on your Kali. If so, restart your machine, not the server.

    I didn't check to see if I had more than one tun interface but I did reset my machine. I walked away a couple times and came back fresh throughout the day.

    Folks you don't have to reset or reboot your machine for the tunnel issue. you can just kill your vpn tunnel by "pkill openvpn" and it will remove any openvpn you have established. Everytime you connect to hackthebox, a new interface is created starting from tun range 0, and if you establish another vpn, then you have tun1 & tun0. which then makes it hard for the system to find his gateway. so just "pkill openvpn" and re-establish your vpn :)

  • edited July 2019

    Finally rooted thanks to @siryarbles . Here are some hints that may help:

    User: Everything you need is in this forum. In the upload part try to understand how the machine is processing U-Ls, what process first and what next and how htaccess works. Read the code carefully and check ad---s headers from examples.

    Root: If you have already found this blog about a-t M--M is the right one. But you will have to do some changes. First, a-p sp---ing is not going to work. Remember network layers... There is a var that a-g uses in some cases. You might have already seen it with s--- -l. You don't need D-S sp---ing either. Just give to the box what it requests. You can use the same thing you found in that var but in your side. After that just read outputs and fix trees.

    PM me for hints.

  • Type your comment

  • That was awesome, just beware of the trap, I certainly fell in to it. Drop me a PM if you want pointers.

  • edited July 2019

    I had basic shell but have no luck with root... some hint?

  • edited July 2019

    Guys for upload php I get 404 not found, tried many other urls, I even created a custom dictionary and ran it with dirb, but still couldn't fix it, anyone willing to help?

  • Rooted. Might be the best box I've done to date, learned a lot, thanks @jkr

    User: no shell required.

    Hardest part of this box for me was getting the first shell. Burned a lot of time trying to get my p****n to upload. Finally the light bulb went off. For those of you who get stuck here with a 404, 200, or even the success message - if you can't easily find your file, you're doing something wrong.

    Root: What to exploit should be apparent pretty quickly. The obvious exploits won't work though. There's a useful article in Google that walks through the steps. It needs to be adapted. The steps are a bit tedious and require some trial and error to get things just right.

    feel free to PM for hints.

  • [email protected]:~/bin# id
    uid=0(root) gid=0(root) groups=0(root)
    Wow, what a challenge! Phenomenal work @jkr . Super satisfying to do these boxes that don't rely on some CVE, or on CTF style puzzle, or automation, but just require that you know your stuff (or learn it quick) and figure things out by hand. Tons of fun. I got caught up for an embarrassing amount of time like half a step from root on an incredibly foolish oversight -- always consider very deeply exactly what the service/program etc. that you are trying to exploit does. I didn't and it cost me like 4 hours. PM me for nudges! Also big thanks to @antares341 for giving me the clue I needed to get out of the hole I dug myself into, one of the biggest facepalms in my life when I realized lol.

Sign In to comment.