Ellingson

13468915

Comments

  • Rooted!, it was a fun box!

    Feel free to PM me if you need help.

  • edited May 2019

    Finally rooted! Thanks @opt1kz for the nudge

    Kudos to the creator for an awesome box.

  • anyone that got root can drop me PM, how can i interactive back to me ? have everything ready but i think this is the problem i cant interact ?

    ntroot

  • I'm stuck after getting a shell as h**. Any hints?

    tiger5tyle

  • edited May 2019

    Type your comment> @tiger5tyle said:

    I'm stuck after getting a shell as h**. Any hints?

    When I got stuck and desperate, I found @Zot's advice of #yolo-copying directories until you notice something stand out helped.

  • edited May 2019

    Nice machine ! Learned a lot !

    image

  • edited May 2019

    Need a bit of help with the passphrase for the i*_R** keys... Should I be bruteforcing that locally or am I on the wrong path to user?

    Edit: Thank you @BADBIT for putting me on the right path. Just got ssh and have already learned so much from this box.

    phase

  • edited June 2019

    Hey so i have access as H** user and was able to find and decrypt the file, but the result is not getting me anywhere. Anyone mind PM'ing me a pointer on this?

    Edit: Thanks for the pointers, was just impatient.

    Kwicster

  • Finally finished this, but not without help. Really cool theme, I urge everyone to watch the movie, if there still are people who missed it (won't help with the challenge though).

    USER HINT1: once you know how to execute code reset the machine before digging further, as apparently something breaks the level (periodically?).
    USER HINT2: once you have something to break, don't be afraid to give it more time and wait for more results. In my case I needed a bigger input file than usual.
    ROOT HINT1: the CampCTF video posted earlier is of GREAT help.
    ROOT HINT2: if you are struggling (e.g. EOF while interactive), a good idea may be to locally spin a close copy of the operating system that is used on the challenge machine, remembering to set the permission bits on binaries the same way as they are on the challenge machine. Look for similar exploits for that OS and what they are doing, you may be missing a piece.

    PMs welcome.

  • Finally solved!!!! This machine was amazing, I've learned a lot expecially in the second part :)
    Thanks to everyone who helpded me, especially @m4xp0wer @htejeda and @opt1kz

    Here my hints:
    User: enumerate very well the site until you find something very very juice.
    With that you can do a lot of things, including get you access to the machine.
    Then it's just linux enumeration that will help you finding another file very interesting a precious

    Root: enumerate very well and you'll find something strange (it's pretty obvious).
    received a lot of help because it was my first time with something like this. Go back in the discussion you will find the video of your life, that will road you to the light!

    PM me if you need help :)

    Hack The Box

    Message me with 1) Problem description 2) What did you try so far? 3) Your ideas about next steps

    If you appreciate my help, please give me +1 respect
    https://www.hackthebox.eu/home/users/profile/57582

  • After HOURS of banging my head trying to get user I found what I was looking for. I overlooked the file MANY times because somebody changed the permissions for the file........ Had to reset the machine to get the permissions back where they belong.

    Thanks @Razzty for all the help!

    phase

  • I found the pass for th******* user but I can't authenticate... am I missing something?

    amra13579l

  • edited May 2019

    Type your comment> @amra13579 said:

    I found the pass for th******* user but I can't authenticate... am I missing something?

    Same.

    Edit: Got it. I'm going to quote @psie.
    "once you have something to break, don't be afraid to give it more time and wait for more results. In my case I needed a bigger input file than usual."

    phase

  • Stuck with the rop part for root. Anyone willing to share a few tips ? I'm relatively new to exploit dev and keep getting "Got EOF while reading in interactive" on my local machine
    Otherwise, it's a lot of fun !

    globule655

  • I'm stuck trying to get stage 2 to execute. My code just hangs when it gets to stage 2.

    phase

  • Type your comment> @Phase said:

    After HOURS of banging my head trying to get user I found what I was looking for. I overlooked the file MANY times because somebody changed the permissions for the file........ Had to reset the machine to get the permissions back where they belong.

    Thanks @Razzty for all the help!

    I'm pretty sure it's not malicious attacker, it's just a slight oversight in the box's design. If someone from HTB with the ability to fix boxes wants to PM me, it's easy to fix.

    Until then, if you've got a full shell but can't find your way past h**, check the box's uptime. If it's over 6 hours I would reset it.

  • Type your comment> @globule655 said:

    Type your comment> @tiger5tyle said:

    @globule655 said:

    you're almost there but I think you're having it backwards. It's more a game of what the server needs from you to log in without a password than the other way around

    How so? I'm giving it the i*_r** key. Am I missing something else?

    There's a specific file you can write into that will help you more than providing the server with its own private key

    I am loosing myself at this point. I thought I had this figured out, but it just won't work.

    Please PM me with assistance - I doubt it can be discussed here without spoilers ..

    Cheers

  • Type your comment> @N1dhu9 said:

    Type your comment> @globule655 said:

    Type your comment> @tiger5tyle said:

    @globule655 said:

    you're almost there but I think you're having it backwards. It's more a game of what the server needs from you to log in without a password than the other way around

    How so? I'm giving it the i*_r** key. Am I missing something else?

    There's a specific file you can write into that will help you more than providing the server with its own private key

    I am loosing myself at this point. I thought I had this figured out, but it just won't work.

    Please PM me with assistance - I doubt it can be discussed here without spoilers ..

    Cheers

    Think about what YOU can supply the server so you can connect...

    phase

  • edited May 2019

    I've downloaded an **_*** from the t******** but I'm not getting anywhere with the passphrase, even with the info on the articles. Is this a rabbit-hole?

    Edit: Yup, rabbit-hole. Getting tunnel vision and missing the obvious thanks @Razzty for the nudge.

    mogyub

  • Type your comment> @N1dhu9 said:

    Type your comment> @globule655 said:

    Type your comment> @tiger5tyle said:

    @globule655 said:

    you're almost there but I think you're having it backwards. It's more a game of what the server needs from you to log in without a password than the other way around

    How so? I'm giving it the i*_r** key. Am I missing something else?

    There's a specific file you can write into that will help you more than providing the server with its own private key

    I am loosing myself at this point. I thought I had this figured out, but it just won't work.

    Please PM me with assistance - I doubt it can be discussed here without spoilers ..

    Cheers

    Feel free to send me a message with your questions

    globule655

  • Stuck at getting the initial shell...

    Any help with the traceback...looked at the debugger but can't seem to find any good functions to obtain the file needed through some type of LFI.

    OSCP

  • Type your comment> @pytera said:

    Stuck at getting the initial shell...

    Any help with the traceback...looked at the debugger but can't seem to find any good functions to obtain the file needed through some type of LFI.

    Try to focus on reading and writing files.

    phase

  • @pytera use python to get initial shell

  • edited June 2019

    Still get quite a few DM's with individuals missing the second one... so... from the box page

    We have recently detected suspicious activity on the network. Please make sure you change your password regularly and read my carefully prepared memo on the most commonly used passwords. Now as I so meticulously pointed out the most common passwords are. Love, Secret, Sex and God -The Plague

    So, knowing that those are the most common passwords, how can you shorten your wordlist to speed things up?

    -Keep Learning
  • edited June 2019
    Stuck with Got EOF while reading in interactive...

    If anyone has any advice to put me on the right path I'd really appreciate it.

    I have an idea of what I need to do just not too sure how to code it.

    phase

  • Type your comment> @Phase said:

    Stuck with Got EOF while reading in interactive...

    If anyone has any advice to put me on the right path I'd really appreciate it.

    I have an idea of what I need to do just not too sure how to code it.

    i am stuck on this part in the first stage of exploit too
    anyone willing to help?

  • Type your comment> @ShayNay said:

    @pytera use python to get initial shell

    Tried a few things...like running a nc shell from> @pytera said:

    Stuck at getting the initial shell...

    Any help with the traceback...looked at the debugger but can't seem to find any good functions to obtain the file needed through some type of LFI.

    I got intial shell..DM if anybody needs a nudge.

    OSCP

  • I'm creating a custom wordlist to crack some hashes, anyone know a good mutator? I've tried rsmangler but it always crashes when I try the --full-leet option.

    mogyub

  • Type your comment> @mogyub said:

    I'm creating a custom wordlist to crack some hashes, anyone know a good mutator? I've tried rsmangler but it always crashes when I try the --full-leet option.

    It’s not necessary. Try one of the ones that come with kali.

    phase

  • Working on root. Trying to follow the CampCTF video recommended, however, I have no previous experience in this general area, not even the easier types. When it gets to the R2 part, (around 9:09), it returns nothing for rdi. I suppose I could use rbp instead? What other changes would I need to make with this substitution? Should I instead first learn some of the challenges to build up knowledge in this area? Thanks guys, I love the HTB community!

Sign In to comment.