Haystack

Starting the discussion. :)

«13456719

Comments

  • something about reverse proxies

  • any hints lol stuck in inside the dumps of data

  • Was able to access on higher port, now getting a 502, anyone else too?

  • Stuck at rubber band stuff lol

  • Not finding anything for root atm. User was fairly easy.

    Hint: Port 80 isn't worthless.

  • Yay. Was really feeling like we were past due for another CTF box! :p

  • Some help? 1 port is interesting (not 80)

  • edited June 29

    I've dumped the entire database and so far found nothing useful.

    Dirscanned the sites by IP and hostname, zero results and seems like no virtualhost routing. Haven't found any software commonly exploitable.

    Should I just keep looking at the database? I'm hoping I don't have to copy/paste and translate all that spanish.

    EDIT: Got it. Just need to find a username.

  • Type your comment> @scottrainville said:
    > I've dumped the entire database and so far found nothing useful.
    >
    > Dirscanned the sites by IP and hostname, zero results and seems like no virtualhost routing. Haven't found any software commonly exploitable.
    >
    > Should I just keep looking at the database? I'm hoping I don't have to copy/paste and translate all that spanish.

    Wait. You don’t come to HtB to be trolled in Spanish? I thought that was the point of this site?
  • Root was fun, User is pretty troll.

  • edited June 29

    But how? I did everything I could but I did not achieve anything, I need a clue.
    I have read many books about different types of things to do when it comes to pentesting, but they are very different situations than what I find here.

  • Type your comment> @Ramphy said:

    But how? I did everything I could but I did not achieve anything, I need a clue.
    I have read many books about different types of things to do when it comes to pentesting, but they are very different situations than what I find here.

    Yeah, for this one you need to find some books on how to play hide and go seek.

  • tfw "git gud" significa aprender otro idioma ... jaja. Me quedé un poco atrapado por la barrera del idioma.

  • This is already annoying me lol...so many rabbit holes...

  • I seem to always find the easy boxes harder than medium or hard...

  • Dumped the whole db too but can't find anything useful. This box is driving me nuts...

  • Type your comment> @canyin said:

    Dumped the whole db too but can't find anything useful. This box is driving me nuts...

    The whole e***********h db? All of the indices? You can desbloquear a couple good secrets from in there.

  • edited June 30

    Got user - struggling with root. Anyone able to provide any hints on where to go once I get the user flag? Or is root via another entry point entirely?

  • Type your comment> @iditabad said:

    Type your comment> @canyin said:

    Dumped the whole db too but can't find anything useful. This box is driving me nuts...

    The whole e***********h db? All of the indices? You can desbloquear a couple good secrets from in there.

    Might be that the tool I used didn't get everything out. Got stuff from a few different indices. Can those secrets be dug out without translating?

  • Type your comment> @canyin said:

    Type your comment> @iditabad said:

    Type your comment> @canyin said:

    Dumped the whole db too but can't find anything useful. This box is driving me nuts...

    The whole e***********h db? All of the indices? You can desbloquear a couple good secrets from in there.

    Might be that the tool I used didn't get everything out. Got stuff from a few different indices. Can those secrets be dug out without translating?

    You can identify them without translating, yes. It'll be easier if you know what you're looking for though - there is a big hint via port 80.

  • edited June 30

    I'm so close to root. I see "comando", but am having problems triggering it. Can someone who has completed this step DM me.

    UPDATE: rooted. You need to be a bit patient once you have it. I was expecting it to trigger every X amount of seconds.

  • Type your comment> @iditabad said:

    Got user - struggling with root. Anyone able to provide any hints on where to go once I get the user flag? Or is root via another entry point entirely?

    It's vaguely related and as opposed to user it's actually the sort of thing you'd expect to find on a site named 'hack the box'.

  • Type your comment> @1NC39T10N said:

    I'm so close to root. I see "comando", but am having problems triggering it. Can someone who has completed this step DM me.

    There are three files in there. If you put the three together, you'll get it.

  • edited June 30

    EDIT: Nevermind, answered my own question.

  • Type your comment> @iditabad said:

    Type your comment> @canyin said:

    Type your comment> @iditabad said:

    Type your comment> @canyin said:

    Dumped the whole db too but can't find anything useful. This box is driving me nuts...

    The whole e***********h db? All of the indices? You can desbloquear a couple good secrets from in there.

    Might be that the tool I used didn't get everything out. Got stuff from a few different indices. Can those secrets be dug out without translating?

    You can identify them without translating, yes. It'll be easier if you know what you're looking for though - there is a big hint via port 80.

    Got 'em! Thanks for help!
    Still didn't get the hint in the port 80 though. :D

  • edited June 30

    Hints for this box:

    User - The name of the box and other various hints strewn around should give you general idea. This part is pretty CTFish. As alluded to in earlier comments, there's a hint which will save you some time on one of the other ports.

    Root - Congrats, you've survived more of the joy of CTF boxes. Start over and enumerate what's on the box. With the additional access you have at this point, are things you may have considered before possible now? This part is much more like what most of us are here for, get back to basics.

  • edited June 30

    now how exactly is this considered an easy box while Jarvis is considered a medium box? These ratings are all over the place, and have been for several of the past boxes like Arkham and Unattended.

    will135

  • Type your comment> @will135 said:

    now how exactly is this considered an easy box while Jarvis is considered a medium box? These ratings are all over the place, and have been for several of the past boxes like Arkham and Unattended.

    Seconded. There really needs to be a new dynamic rating system similar to what recent CTFs are doing.

    Still stuck on that rubber thingy...

  • Rooted. Learned a lot about ELK. Very fun box! Thanks @JoyDragon!

    I personally think this box should be lower end of medium as opposed to upper end of easy.

Sign In to comment.