Ghoul

2456789

Comments

  • edited May 2019

    @MinatoTW what about the files in /tmp owned by root?

    Edit: nevermind i'm an idiot - other people's stuff - thanks for the reply though :)

  • Those are fine.

    Hack The Box

    Don't let the box pwn you!!

  • @MinatoTW Starting to think this "File Upload" is just a troll... (once again, lol. Ran into 2 already). I hope to god I'm not wasting my time. Been stuck at this same part since it released yesterday and haven't slept yet :dizzy:


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • +24 hour box !

  • Okay i understand the idea of try harding and thinking outside the box but isn't this a bit extra ? There were 3 guesses (as far as i faced with) and what are those other su....s tbh ? Do we need bring 10 pieces of notes to solve a puzzle which doesn't even work in the way they explained ? I got disappointed with this one compared to your other boxes...

    morph3

  • edited May 2019

    Since everyone is stuck in a certain part just before root (ironically, the last steps are very clear, but AFAIK everyone is missing something in the middle) might as well give some user hints

    • Enumerate everything, and make sure you note down anything that sounds "suspicious" or different from what is supposed to be a wo*****ss site
    • If things aren't working as you expect, as the saying goes, "if the mountain will not come to Mohammed, Mohammed will go to the mountain"
    • The box makers left lots of cryptic clues, some are useful and some are not, but make sure you note them all down

    mpeg

  • Type your comment> @mpeg said:

    Since everyone is stuck in a certain part just before root (ironically, the last steps are very clear, but AFAIK everyone is missing something in the middle) might as well give some user hints

    • Enumerate everything, and make sure you note down anything that sounds "suspicious" or different from what is supposed to be a wo*****ss site
    • If things aren't working as you expect, as the saying goes, "if the mountain will not come to Mohammed, Mohammed will go to the mountain"
    • The box makers left lots of cryptic clues, some are useful and some are not, but make sure you note them all down

    It would be helpful if wp***n actually recognized that it's a wo*****ss site, but it doesn't...


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • So is the upload a rabbit hole?

  • edited May 2019

    Type your comment> @Glasgow said:

    So is the upload a rabbit hole?

    no the upload is not a rabbit hole I assure you I just championed the upload and have landed a shell

    Now this is at the creator about your clue to ignore /var/tmp does the nsa or encryption have anything to do with this ?

  • edited May 2019

    is the se***.jpg a rabbit hole or needed to get to ka***_*dm ?

  • edited May 2019

    I am surprised I owned the user, but giving up with root for now, have to improve my skills on easier boxes :)
    User: take a ride down the slide
    Very nice box till now :)

    If you appreciate my help, please give +1 respect :)
    https://www.hackthebox.eu/home/users/profile/76469

  • Can we agree yet that this is the worst thought-out box in HTB, or should we wait a few more days for that?

    mpeg

  • edited May 2019

    Type your comment> @mpeg said:

    Can we agree yet that this is the worst thought-out box in HTB, or should we wait a few more days for that?

    For now I can agree on that, unless the root is really something special and clever...

    EDIT: I'm an idiot.

  • I still believe that there is something wrong with the box. I think creators forgot to add something or something is not working in the way it's supposed to and there are some pieces that doesn't fit to anywhere. Such a waste of time .

    morph3

  • Now you know nothing is missing. ^

    Hack The Box

    Don't let the box pwn you!!

  • @MinatoTW said:
    Now you know nothing is missing. ^

    Can confirm, nothing is missing ^^

    Badge

  • Type your comment> @MinatoTW said:

    Now you know nothing is missing. ^

    So the box is a time-waster by design! Good to know.

    OSCP | TMHC CTF

  • Hello, found something that doesn't work and why, but that's all, used burp, nmap, owasp zap and nessus (<- know that here u don't have to use it but nevermind I'm happy), anyone can send me a hint? Thanks

  • edited May 2019
    Hi,
    i also found some useful sites. Should i guess user and password or should i brute force it?
    I am thankful for a hint :-)
    update: no need to brute force :-) you can guess the user and password. It is verry easy ;-) and sometimes i think i am stupid LoL
  • I've authenticated against both 8080 and /us/index.php but not sure where to go from here. Is it this kai.jpg?

  • edited May 2019

    Got a shell. Working on getting user now. This box has been a total pain in the ass so far.

    Edit: Got user. Time to try for root. This thing is gnarly.

    Hints for user: You'll have to do some Googling to get what you want to use "sealed" together... Once you've done that, you can find it again...


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Apologies for the incoming wall of text, but emotions seem to be running high over this box.

    One of the last steps to getting root can be frustrating due to the data being tucked "out of the way" as compared to everything else discovered and hinted at up until that point. However, in hindsight it's a legitimate case of just having to try harder.

    There aren't really any trolls or CTF garbage on this box, the makers aren't in here memeing you guys to death and being insufferable, and there are hints laying around all over the place. Some of those hints are subtle and easily missed, but they're there.

    This box seems to be designed to teach you to enumerate E-V-E-R-Y-T-H-I-N-G and to not be lazy. If you don't abide by that, you will smash your face against the wall for hours and get nowhere. That's not because the box is garbage or because the makers are trolling you; it's because you are overlooking "little" things that are actually quite important.

    I think this box achieved its goal in getting people to go over things with a fine toothed comb. It's 90% enumeration and trawling through the filesystem looking for that needle in the haystack. There are some pivoting and POPPIN' SHELLZ moments, to be sure, but it's mostly enumerate, enumerate, enumerate! Some people may argue that this kind of realism makes the box unfun, but that's really down to personal preference. I disagree, but that doesn't mean you're wrong.

    TL/DR: Go easy on them, guys. I promise you everything works just fine and what you're looking for is 100% right there under your nose.

    I personally had a blast and learned a handful of things, despite being stuck at the same point everyone else was and being quite frustrated for a time. Thumbs up overall. Thanks for the learning experiences @MinatoTW and @egre55.

    opt1kz

  • Thanks @opt1kz for the priceless feedback. We're glad that you enjoyed and made full use of what the box had to offer. Apologies for any inconvenience due to the leftovers from previous versions.

    Hack The Box

    Don't let the box pwn you!!

  • edited May 2019

    Type your comment> @MinatoTW said:

    Thanks @opt1kz for the priceless feedback. We're glad that you enjoyed and made full use of what the box had to offer. Apologies for any inconvenience due to the leftovers from previous versions.

    I am currently having trouble with root but I am not sure of I am supposed to be bruting *it ?

    very good challenge bro either way whether its hard or not nothing is ctf about this box that is what you think until you really pay attention I will admit things are a bit off logic wise to me but my friends had to explain a few concepts about tunnels better and also a few other things that come in handy now I get whats going on and these damn ghouls keep chasing us humans someone might decide to chase them back ;)

    Edit I think I may have found what you guys mean but im confused as hell am i supposed to decode this debug stuff somehow?

  • edited May 2019

    I appreciate the work put into this box, and while the last vector of attack for (last) root was awesome, the path to reach that point was excessive in my opinion.

    artikrh

  • edited May 2019

    No significant find but in the HTML source of the art site, one of the attributes for the slider says data-whitespace="nowrape"- nowrape. I'm sure it meant nowrap. Japanese anime theme FTW!

    limbernie
    Write-ups of retired machines

  • yes this is unfortunate in the extreme and completely unintended typo by the creator of the original template - we only changed the code for the upload functionality. wouldn’t trivialise something like this

    egre55

  • In case you need to verify it - https://colorlib.com/wp/template/sierra/ .

    Hack The Box

    Don't let the box pwn you!!

  • > @artikrh said:
    > I appreciate the work put into this box, and while the last vector of attack for (last) root was awesome, the path to reach that point was excessive in my opinion.

    Thanks, we'll make sure not to stretch it that long the next time. :)

    Hack The Box

    Don't let the box pwn you!!

  • > @wabafet said:
    > Type your comment> @MinatoTW said:
    >
    > Thanks @opt1kz for the priceless feedback. We're glad that you enjoyed and made full use of what the box had to offer. Apologies for any inconvenience due to the leftovers from previous versions.
    >
    >
    >
    >
    >
    > I am currently having trouble with root but I am not sure of I am supposed to be bruting *it ?
    >
    > very good challenge bro either way whether its hard or not nothing is ctf about this box that is what you think until you really pay attention I will admit things are a bit off logic wise to me but my friends had to explain a few concepts about tunnels better and also a few other things that come in handy now I get whats going on and these damn ghouls keep chasing us humans someone might decide to chase them back ;)
    >
    > Edit I think I may have found what you guys mean but im confused as hell am i supposed to decode this debug stuff somehow?

    Thanks for the feedback. Google about the services running and the vulns related to it. You'll find something surely. :)

    Hack The Box

    Don't let the box pwn you!!

Sign In to comment.