• edited January 16

    Finally rooted!

    This was my first hard box and therefore also took longer time to complete.

    The whole journey was worth it in the end, even though someone changed the cms login password - took some extra time, but thanks to @plackyhacker for acknowledging my attempt path was correct.

    So tips for you who are stuck.

    User1: enumerate and when you find it, get it and extract what you need

    User2: I so overcomplicated this. Read about how the app is working and when you know - modify it.

    Root: if you have read the file, which you most certainly have by now, you will know what to do.

    Thanks for a great box!

  • This was the most god damn annoying box aha

    Learnt the most from it though.
    Cheers for the box.

  • Is anyone else having trouble with a config file while using r***-s***** to get to root ???

  • can you please give me hints on the initial foothold, i found the /inst*** and download it and extract what's in it, but nothing useful for the creds???


  • edited January 20

    User was fairly straight forward, time to figure out root


  • Type your comment> @Kwicster said:

    Man i feel bad even asking, but if anyone has a hint for the webshell/reverse shell part, i could really use it. Have auth with the webapp, but can't get around the file upload barriers

    you are already admin of the webapp
    whatever blocking you in the webapp, you will be able to change it

  • edited January 20

    After about a week I have finally rooted this box!
    First hard box from me, big thankyou to @3ken45 @J0hnD03 @noi for the nudges.

    A few tips from me:
    User: find out what the web service is, and read up on common ways to "exploit" it. There is so much info on the web - read walk-throughs and the manual online, and user is actually pretty straight forward. Do some enum to get a shell.

    Root: root took me a solid 5-6 days. Look through the forum here and you'll see that from user1, you'll have to get to another user before you can get to root. The exploit you'll find online for that particular version of b*** won't work (if it did it wouldn't be a hard rated box). You need to find another way to achieve the same as that exploit (although the exploit doesn't work, it still has something to do with f*** u*****). Once you get user2, its just more enum and reading manuals. Don't skim over the manuals like I did, take your time to understand how re**** works.

    Hack The Box

  • edited January 23

    At a loss on user2; have user1 ssh, have cms control. Evidently not getting my head far enough "out of the box." Any kind soul with a nudge?

    edit: done; what a box!

  • stuck on root need help =(

  • Im stuck on the initial user, I could definitely use some help trying to go to the second user.

    Hack The Box

  • I'm now in the container place after some basic enumeration d*****.re******.h**/v*/ . It asks username and password to authenticate. Can anyone give me a nudge on it? Thanks in Advance.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • I've come to a stopping point for access to w-***a shell. I have access to C and as seen in the forum, the obvious fu vulns don't work. I've tried with a java shell as this is a supported file type and still no joy. Any DM's to get me from user1 to user2 would be appreciated.

    I have shell access with user 1 also.

  • Root took me more then i expected. Thanks for this great box.


  • edited January 27

    stuck getting initial shell... found the /i****** directory and extracted the c*** . Also found the d***** web app and the name of the repository in it b-i**** having trouble using d***** p command due to the self signed cert

  • well this machine its really interesting.

    enumeration was really easy, lucky me, in past days a was reading about vulnerabilities in d***** so, obtain access to shell was easy after found the first 3 files, user 2 OMG, really good challenge, i used a backdoor through my first con, and finally root, Good Lord, after read the manual and view the command was not sure if DIY apply so I ask to other users but the answer not was really usefull.

    well this is my hints.

    Start -> the challenge is make technology your friend, this is friendly if you ask.
    User1 -> The funny thing is with the enum you obtain this access just puth J*** to work.
    User2 -> Now i can see other ways, but in fact, for my i took the easy to backdooring my connection, think about it, if front is bloked so...

    root -> I like when challenge its really about how you can manipulate the instruccion, its easy, think in what do you need to make work this stuff...

    as always, thanks to @backslasht for the machine, and thanks to everyone for the hints.

    If this result in spoiler, please delete it.



    +respect me if I helped you :}

  • guys iam stuck at inital steps
    found a login page at /v2/ is that the way?

  • Enjoying the box so far... Got user and have access to b/b in order to gain access to w**-****, any nudges would be appreciated. Thanks.

  • Hello,
    I'm stuck. Can't login with s** on the machine. I founded the private document with the password, impossible to use it for ssh.
    Anybody have an hint ?
    Thx !

  • Lots of hints already on here so I'm not gonna troll by reiterating whats already here. What I would say is that, after a few weeks of mulling it over, this is absolutely one of my favorite ever boxes. The entire thing, imo, was epic from start to finish. Happy to provide nudges on via DM / Discord (5ysk3y#6172) for those who are stuck.


    For assistance:

    1) Plz msg me via the main HTB messaging system, not the forums or my wall
    2) Give me some insight as to what you've tried already, or ideas you've moved past
    3) Don't expect me to give you the answer-- that defeats the object of being here.

    If you find my assistance useful, in any case, please consider clicking that awesome respect button on my profile!

  • Very cool box, being a borgbackup guy myself, it was fun to play with r***.
    Another hint that cost me some time: There's something in the way going outbound from the box, but you already have SSH. Always remember your options..


  • edited February 3

    Stuck at b*** user, found b*** cms files and r***** cli app but got no clues on how to proceed. Can't find a way to login into the cms, can't upload a file, just the index.php page. Can someone give a nudge? Thanks!

    Edit: Found a hash on b**.d, cracked it, but don't know where to input it..

  • edited February 3

    Very cool box so far, I'm just struggling with the last root step.
    I keep getting the following error

    EOF ReadFull Password - unable to read password||

    Received nudges from multiple other users so far that have all told me I'm doing the right thing yet I still get the error shown above. Weird stuff. Gotta try harder :D

    Edit :
    And as it always goes, I cracked it 30 minutes later. :) Great box!

    Hack The Box

  • Rooted. I have learnt and enjoyed a lot during doing this box. Thanks so much @Rolesa and @noi for helping me!

  • edited February 5

    I'm so close, and so annoyed. Can't root via d***** , as I'm 32 and not 64. 2 days of my life I wish I'd spent elsewhere! :) If anyone knows an unintended method, I'd appreciate a nudge over PM as I can't do it the intended way(unless I'm missing something?)

    Edit - Now done. Definitely don't look at this if you running the Kali OSCP exam VM as your base.

    If I've helped get you in the right direction, please give a little respect. Thanks!
    Or, hodor hodor hodor hodor hodor hodor hodor hodor hodor, hodor hodor hodor hodor hodor. Hodor!

  • Rooted ! Fun box

  • Great box, really, learned a lot from this, thanks to all for the precious hints

    [email protected]:~# id
    uid=0(root) gid=0(root) groups=0(root)
    [email protected]:~# wc root.txt
    1 1 33 root.txt
    [email protected]:~#

    Hack The Box

  • nice Box thank u ! mp for help

    Hack The Box

  • edited February 8

    Need someone to kindly give me a nudge, I'm running the d***** im*** and I can see that I can ssh to the remote box but I can't seem to crack the passphrase for the ssh key?

    edit1: Never mind, thanks @3l0nMu5k for the nudge

    edit2: rooted, but i think someone had borked the box a bit, had to reset it before i could do my exploit to pivot to second user, that was a really fun box :)

  • edited February 8

    I'm stuck with this error

    Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

    any help ????

  • @SaMuTa said:

    I'm stuck with this error

    Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

    any help ????

    Looking at the port, can you confirm you've added the address to your hosts file?


    Happy to help people but PLEASE explain your problem in as much detail as possible!


Sign In to comment.