onetwoseven

11314151719

Comments

  • Finally got user, as of now user for this box was a lot harder than Fortune box. Feel free to PM me for hints.

    on to root, folks I know what to take advantage of, but it is not working, if anyone is willing to help, would be much appreciated.

  • edited July 2019

    I know exactly what to do, but ettercap and arpspoof both fails because of tun0 interface, how am I suppose to be blamed for that? @jkr

  • edited July 2019

    Been stuck at user for ages. I am confident about the tunnel, but the box just serves me blank pages - no data, only headers!

    I suppose that I am on the right path, but am I missing something? Are the blank pages a natural step towards the actual content?

    The returned headers do not seem interesting, but maybe I am missing something ..

    I can get results using D**B***er, but the pages are blank, although certain paths show directory listings.

    A nudge/hint would be nice!

    Edit: Thanks to @jkr I finally got it!

  • I have this problem that i get a message saying that the file is uploaded. But shouldn't be located in the same place as all the other files? I've tried several paths, but i don't seem to be able to find it.

    Running for OSCP

  • edited July 2019
    Thanks for the great machine @jkr !

    User: ssh is not needed, uploads are not needed. You ONLY need: provided s**p access, basic logic, help commands and "what if i... " comment in the very beginning of this thread
    looking at exposed web pages (those you start with) is also helpful.

    Root: Creds are available thru s**p. To process the upload, read the source carefully, there is a statement missing at some point. Modified request helps to solve this problem. Look out for examples to run it properly after upload. On final step do not pay attention to errors, go ahead and install it.
  • Finally rooted! Thank you @jkr for such a great machine. Also thank you @denstr for a nudge.
    All I needed for the last step to root was the A** M**M blog, knowledge of how to keep env in sd and Burp.

  • edited July 2019

    EDIT: Got it, Wow what a ride! Awesome box @jkr mad respect! I learned so much from this box, thank you!

  • Finally rooted! That probably was my longest jorney on HTB. Thanks for all guys who helped me, HackTheBox community is the best!
    Pm if you need hint :)

  • edited July 2019

    Hehe, got root. Huge huge thanks to @flipflop139874 for the help.

    Noticed some weird stuff. e.g you should intercept the first request and leave the second one go forward without any intervention.
    had to reset the box couple of times cause of the cache.

    prior MITM knowledge is really handy for root on this box.
    you have to find alternatives for some stuff explained in online articles.

    and thank you @jkr for the box.

    as usual if anyone need help, PM me.

  • Got user, well, very interesting, thanks for all the tips. Now on the road to root

  • Damnit. I've tried to upload that file back and forth for a couple of weeks. There was 1 little thing i not had tested.... I payed to much detail to what was in the file without thinking about the consequences running it that way (hence successfully uploaded, without a file..).

    Running for OSCP

  • Great Box @jkr

    A box where you learn a little.

    User

    Getting the user is quite easy with the comments in this thread. However, the part that confused me was that of the plugin.

    Root

    The root part was amazing!
    Frustrating but in the end exciting, it is only trial and error again and again until it is achieved. MM seems to be a complicated attack at first, but just look at so and save you certain steps in the network part. However, a fundamental part is to investigate and understand the attack.

    A very good root track is this:

    @antares341 said:
    Finally rooted thanks to @siryarbles . Here are some hints that may help:

    User: Everything you need is in this forum. In the upload part try to understand how the machine is processing U-Ls, what process first and what next and how htaccess works. Read the code carefully and check ad---s headers from examples.

    Root: If you have already found this blog about a-t M--M is the right one. But you will have to do some changes. First, a-p sp---ing is not going to work. Remember network layers... There is a var that a-g uses in some cases. You might have already seen it with s--- -l. You don't need D-S sp---ing either. Just give to the box what it requests. You can use the same thing you found in that var but in your side. After that just read outputs and fix trees.

    PM me for hints.

  • edited July 2019
    Hello,
    Ive had some success with s**p commands i found the a****-h*** dir got some gd infos there.. I found user. txt also but no permission to view it.. I guess i need to find my way to p 6**8*
    Im still stuck there 😑 any help would be great PM
    EDIT : I found my way in to the right place still stuck with ad*** upload
    EDIT i found my way in now using a reverse shell working on getting root
  • Type your comment> @lfabname said:

    Hello,
    Ive had some success with sp commands i found the a****-h*** dir got some gd infos there.. I found user. txt also but no permission to view it.. I guess i need to find my way to p 68*
    Im still stuck there 😑 any help would be great PM

    Did you check available pages?

  • I'm bashing my head against the wall trying to find the creds for the admin page. If anyone wants to throw a hint my way that would be greatly appreciated!

  • edited July 2019

    Hit a forbidden access after setting up my s**t****l. Am i doing the correct command? Anyone care that i can dm?

    happy to say im a newb

  • Type your comment> @wizliz said:
    > I'm bashing my head against the wall trying to find the creds for the admin page. If anyone wants to throw a hint my way that would be greatly appreciated!

    My advice to you.. Use whats available in front of u from the begining u ll be amazed when it works PM if u still stuck
  • edited July 2019

    I got user without using any shell. I think I got it by the intended way. Just use S**P.

    However, this is where I got stuck. I have the source code for all the visible php and that hidden php in h * * l a * * * n. Can I still carry on if I don't have any shell?

  • Type your comment> @thetarget said:

    I got user without using any shell. I think I got it by the intended way. Just use S**P.

    However, this is where I got stuck. I have the source code for all the visible php and that hidden php in h * * l a * * * n. Can I still carry on if I don't have any shell?

    Yes.

    Running for OSCP

  • Type your comment> @extincted said:

    Type your comment> @thetarget said:

    I got user without using any shell. I think I got it by the intended way. Just use S**P.

    However, this is where I got stuck. I have the source code for all the visible php and that hidden php in h * * l a * * * n. Can I still carry on if I don't have any shell?

    Yes.

    You mean I can get root without achieving a reverse shell for this challenge?

  • Hey,

    I am able to create the tunnel and I am seeing the "A***n" option enabled. However, when clicking it, it's not going anywhere.

    I think I am having issues with the resolution since that option goes to on********n.**b:6**** and after some time it will time out.

    Could someone please help me to understand what I am missing for this to work?

    PP

  • edited July 2019
    Type your comment> @pp123 said:
    > Hey,
    >
    > I am able to create the tunnel and I am seeing the "A***n" option enabled. However, when clicking it, it's not going anywhere.
    >
    > I think I am having issues with the resolution since that option goes to on********n.**b:6**** and after some time it will time out.
    >
    > Could someone please help me to understand what I am missing for this to work?
    >
    > PP

    my experience by going to on*n.*b:6* is Forbidden Access.. and i guess i have used the params they have mentioned here. :confused:

    happy to say im a newb

  • What a box.
    As others say it's probably the most interesting box I've seen (although I'm a n00b)

    Thanks a lot @jkr
    I can't even begin to imagine how difficult is to plan such a box

    Thanks again

  • edited July 2019
    ive played with the zelda thing. i took a peek at the /home directory using webbrowser. then i tried zelda again to other places then get presented with "Failure". i tried my working syntax that enabled me to peek but it also turned out to be "Failure". anyone can help me please?

    happy to say im a newb

  • Hello,

    I am still blocked at the upload part. I was having issues with the "Unknown Plugin Type", but now I am sending requests and just getting 200 OK with no messages at all.

    I reviewed the script, but not able to properly execute it. I know there is a mention about the h*****s rules but don't get how to play with them.

    Coould someone please help me to clarify what I am not seeing to properly upload my file?

    PP

  • edited July 2019

    Type your comment> @pp123 said:

    Hello,

    I am still blocked at the upload part. I was having issues with the "Unknown Plugin Type", but now I am sending requests and just getting 200 OK with no messages at all.

    I reviewed the script, but not able to properly execute it. I know there is a mention about the h*****s rules but don't get how to play with them.

    Coould someone please help me to clarify what I am not seeing to properly upload my file?

    PP

    Same here - currently working on that.
    You might want to check the first line in other p***ns. It could be the reason why you don't get any message and only a 200 HTTP code. So it probably has to be accessed in another way, not directly :smiley: - I've tried a bunch of stuff but didn't find the correct way yet.

    EDIT: got it :smiley: (i was right on the above)

  • edited July 2019

    I've enumerated as much as I can think to enumerate via sftp. I can't figure out how some of you are retrieving the user.txt that way but I'm not too worried as I should be able to get it another way. Based on the comments, I'm pretty sure I've discovered all of the details I need to continue but I'm stuck at the tunnel part. That's not something I'm very familiar with and I've tried several different methods but just can't wrap my head around what exactly I need to do to get to the A***n page. I know it involves certain s** options, a browser setting and possibly a hosts edit. If someone could PM me a nudge on the tunneling part, I might have an aha moment!

    Edit: Finally got the tunnel to work. Thanks @six2dez for the tip!

    image

  • Rooted! PM if you need help

  • Rooted. Hooooly crap what a ride. PM if you need help. Didn't really understand why everyone thought it was so great when going for user and was frustrated. After getting user and going onto root, i get it. Amazing box!!!!

  • Type your comment> @jaywon said:
    > Rooted. Hooooly crap what a ride. PM if you need help. Didn't really understand why everyone thought it was so great when going for user and was frustrated. After getting user and going onto root, i get it. Amazing box!!!!

    Hey man can you give me a nudge on uploading? I read the files the re...ru.. i got its gist but my params or the submission canot upload a file

    happy to say im a newb

Sign In to comment.