Postman

1121315171838

Comments

  • I have the r...s user and M.. user and now I think I have found a loginpage at 10.10.10.160:xxxxx but I just can't access this page. 10.10.10.160 website works just fine, but not the loginpage. Should I be able to access this page ?

  • My first rooted box on HTB ...DM for ant help

  • Ok, got user and root, without m********t..
    Some tipps&tricks:

    Foothold:
    Play around and google. There are different(!) ways to get in (don't go for copy&paste exploits.. won't work :P), BUT as everyone is messing like stupid with automated tools (it is more efficient btw to do it manually..) the box is heavily stressed and flipping around.
    As soon as you get in, try to automate it. You do not need some kind of vuln frameworks, a simple bash script is enough to get the low priv shell in. I had to repeat the execution of the script sometimes up to 15 minutes(yes, I used delays :D) until I got in again because ppl were messing with the box. So don't give up ^^

    user:
    Now you're inside, explore what you get. iterate through all files you can open, abuse them and use some basic Linux commands.

    root:
    my internet sucks, I wouldn't be able to download bigger frameworks for automation in less than many hours...so back2roots.
    Look what you get beside on other ports, get in and play around.
    github + chrome/curl was enough to get root.
    (now automated with few lines bash)

    tldr:
    use your brain, frameworks will fail.
    "READONLY" and similar messages popping up because ppl try stuff, read the docs for the application to know how to help yourself or wait some minutes until the box had some (soft?) reset on that and is working again. It can be super annoying...I know
    Write your findings into a script to have one command to get into in, as its annoying otherwise to execute over and over again the same.

    Feedback:
    It was my first box on HTB and it was quite funny. I learned here and there some stuff, mainly to be patient because many persons here are messing around with the box which lets it sometimes in a weird state for a couple of minutes. This was from time to time really frustrating ^^
    But overall, thanks @TheCyberGeek for this box, I really enjoyed it overall :)

    (I tried to keep it vague but if it already too much spoiler pls lock the post :))

  • guys i need some help :(
    i'm stuck with the module load and this stuff, hints please

  • Type your comment> @outisx said:

    guys i need some help :(
    i'm stuck with the module load and this stuff, hints please

    wrong exploit..

  • rooted with m********t . All hints are on this forum.

  • edited November 2019

    can someone nudge me in the right way to enumerate the user so i can use r***s to drop my ssh keys? i just cant find the right directory to drop them in.

  • Any tips on enumerating users? cannot be certain if it can be done through r****-i or not! I think not, so s needs a user, is cli*** s*****e command (r****-**i command).

    I think I'm over complicating things?! Any nudges?

  • Type your comment> @salt said:

    Any tips on enumerating users? cannot be certain if it can be done through r****-i or not! I think not, so s needs a user, is cli*** s*****e command (r****-**i command).

    I think I'm over complicating things?! Any nudges?

    r****-**i is the right way

  • Type your comment> @0xbadbac0n said:

    Type your comment> @salt said:

    Any tips on enumerating users? cannot be certain if it can be done through r****-i or not! I think not, so s needs a user, is cli*** s*****e command (r****-**i command).

    I think I'm over complicating things?! Any nudges?

    r****-**i is the right way

    Thanks! will it enumerate users, or should I create the s** user and get it?

  • Just rooted the box. Honestly if you are not familiar with Rs it can be difficult. That took the longest. Once I got user I got root in about 10 minutes. Hint would be if something does not work how it should look to see if you can do it another way, once you are in check your scan results again and see if you can find anymore vulnerabilities for root. Thanks to @noi, @Lycist, and @s0clyst for the hints on Rs.

  • Rooted, fun box.

    Need help? Contact me on discord: hecker#7348

  • Rooted! Feel free to contact me for hints :)

  • User & root owned. I would recommend this box to anybody starting out

  • Rooted, Feel free to ask for hints :)

  • edited November 2019

    Rooted! Good box for newbies. thx @bumika
    PM 4 hints.
    Also, dont forget about case sensitive...

  • Type your comment> @salt said:

    Type your comment> @0xbadbac0n said:

    Type your comment> @salt said:

    Any tips on enumerating users? cannot be certain if it can be done through r****-i or not! I think not, so s needs a user, is cli*** s*****e command (r****-**i command).

    I think I'm over complicating things?! Any nudges?

    r****-**i is the right way

    Thanks! will it enumerate users, or should I create the s** user and get it?

    np, the r**** user should be enough to get get a low priv shell

  • Someone have some tips for initial user enumeration? Getting root is very obvious..

  • Just rooted 1st box thanks to @Franna and @S0clyst for the nudges. Message for a nudge.

  • Spoiler Removed

  • edited November 2019

    OK - revisiting this system, have user. Working on root, I think I have the correct exploit via CVE and git. However when using it, I get redirected to a Security Warning.

    I am using the user's c***** in B*** S****.

    I have reset the system about half a dozen times to make sure the configs haven't been changed. But the some times the r****-c** exploit doesn't work.

    Am I on track here? (for root)

  • Hmm so I tried to overwrite Axxxxxxxxxxxx but it doesn’t work. Is it suppose to work and I’m just getting unlucky?
  • i really went about this one backwards; rooted before I got user but I guess I was really focused on the path to root that i kept going?! idk User just took me to think about how i could use what i already had and then... duh. Anyone else feel it was a lil crowded, or was it just my bad timing?
    I thought it was a good box @TheCyberGeek

  • edited November 2019

    I finally got an initial foothold after a small hint in this thread tipped me off. And I'm now going after user. But I have to ask, how in the name of all that is good, do you manage to find that directory for that oddball config of **h? Can someone who did it on their own PM me, please and explain the thought process. It would have been dumb luck for me to have found it. Much thanks in advance. Now on to user.

    Hours later, got user. and got root Root was much easier. I liked this box. @TheCyberGeek thanks.

  • Rooted, PM nudges are welcome.


    Check out my blog
    Always happy to help! but please consider dropping some respect. ^^

  • Rooted, I enjoyed this box. There are plenty of hints on here already. Also remember to check the box's profile page via HTB to see what it consists of. The main point that pops out is it is heavily CVE related.

    That said, you can PM me via discord for hints.

    Discord : secHaq#7121
    trigger

  • Thanks for the box. As a n00b, I appreciate the easier boxes, and I thought this one had some nice quirks to keep the obvious exploits from working. Also the password that doesn't work where you think it does was a useful reminder to keep my options open.

  • edited November 2019

    What's with the contents of root.txt ?!!!

  • Hi guys, is anyone able to run "config set dir .." in r**** ? i keep getting permission denied.. not sure what im doing wrong here..

  • rooted, thanks to @donkeysnore for the nudges.

Sign In to comment.