Zetta

Starting the discussion. Who's ready for this?

«13

Comments

  • Ready, steady go! But not sure if it is a rabbit hole ;-)

    v1p3r0u5
    If you need some help => 1) Your findings so far? 2) Your conclusions? 3) Your further ideas?
    RESPECT++ if I was able to help you! => https://www.hackthebox.eu/home/users/profile/139772

  • is that bounce back the right way to go

  • Having 62^32 credentials is definitely interesting. Don't know what to do with it yet though, ideas?

    rowra

  • got the creds used them on f*p got nothing, still working on it.
  • Spoiler Removed

  • i have no idea what i have to do with those creds and an ftp service

  • Any random string of 32 characters works as the username and password for the ftp!

  • yup. ftp supports fxp too, don't know what to do with any of these informations though.

    @charlesjameson where'd you find those other creds? Can't find anything else other than the 32chars for ftp on the page

    rowra

  • edited August 31

    google :)

    from the show ''the it crowd'

    @rowra said:
    yup. ftp supports fxp too, don't know what to do with any of these informations though.

    @charlesjameson where'd you find those other creds? Can't find anything else other than the 32chars for ftp on the page

  • edited August 31

    Can't seem to log in to FTP with provided creds?
    Nevermind, I was trying to login to SFTP

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
  • i find some open ports by doing f*p attack , but i don't know how to benefit from that , can someone give a nudge on what to do next ??

  • edited September 1

    Are others getting FTP command timeouts (even after apparently successful login, seen by looking at traffic, raw ftp commands, or curl -v flag)...

    Also, not seeing anything beyond the index page on 80/tcp going light with gobuster so as to not hammer the box...

    Hrm.^H

    Edit: Ah, passive, you deceiver you.

  • edited September 1

    found access to ftp
    Could somebody give hints about next step after ftp?

  • As any 32 chars username and password is valid i'm wondering if some user left something interesting in some account folder.. but which one?

  • I think it's something about passive and fxp maybe.

  • Cool, I lol-ed so hard when i saw the IT crowd reference.

    S1ph1lys

  • Got user last night... working on root (it's about building a good dict, right?)

    A tip for user: the web page has details on what to try... check that 60%

    julianjm

  • Type your comment> @julianjm said:

    Got user last night... working on root (it's about building a good dict, right?)

    A tip for user: the web page has details on what to try... check that 60%

    I was wondering same, incomplete things are always exploitable, but didn't find more details about Du-ck. Can you help me in right direction?
    Thanks in advanced.

    cycl0ps
    If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
    Discord-cycl0ps#5219
    Telegram-cycl0ps

  • Do we need to get an IPv6 address somehow?

  • Type your comment> @D4nch3n said:

    Do we need to get an IPv6 address somehow?

    yup.

  • Got the IPV6 address, no idea where to go now

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
  • edited September 3

    Stuck at r***c modules.
    Could somebody give me hints about next step?
    Tnx in advance.

    EDIT: Got user, tnx. Working on root.

  • Type your comment> @Boxito said:

    Stuck at r***c modules.
    Could somebody give me hints about next step?
    Tnx in advance.

    If you've got the list of modules, there's some hidden ones. Think about what folders are interesting on most linux systems.

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
  • Got user thanks to @v1p3r0u5, now onto root

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
  • Type your comment> @clubby789 said:

    Got user thanks to @v1p3r0u5, now onto root

    While there are many interesting items in the hidden module, I am not seeing any that lead to another hidden module (or user?), unless brute-forcing or spraying is part of solution (which typically is not on HTB)... Perhaps I am overlooking something?

  • @ue4dai said:
    While there are many interesting items in the hidden module, I am not seeing any that lead to another hidden module (or user?), unless brute-forcing or spraying is part of solution (which typically is not on HTB)... Perhaps I am overlooking something?

    Upload access requires a custom script (or rewriting another) to brute force with ro****u.txt

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
  • Do I have to watch "The IT Crowd" in order to make sense of what's going on?

    limbernie
    Write-ups of retired machines

  • @limbernie
    http://giphygifs.s3.amazonaws.com/media/LdsJrFnANh6HS/giphy.gif

    i heard you're a big deal around here.
    don't make me laugh
    i'm just not into that circle-jerking crap
    
    got better things to do than that fat waste of time
    making your boxes mine with exploits and rhymes
    
    my machine is a weapon
    patched drivers;
    wi-fi packet injection
    
    race condition
    xchg rax, rsp
    pivot to ascension 
    
    your skills ain't even worth a mention
    shut up and listen; now class is in session
    you don't know how to hack.
    see me in detention
    

    Just to keep this on topic I thought I'd say that I'm really enjoying this challenge so far. Thanks @jkr.

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

  • Nice poetry :lol:

    limbernie
    Write-ups of retired machines

  • Type your comment> @limbernie said:

    Nice poetry :lol:

    thanks
    but you gotta step up bro

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

Sign In to comment.