Obscurity

1235727

Comments

  • edited December 2019

    Just rooted, appreciation to @c1cada for nudge in initial foothold.
    Escalation to root super easy. Overall I can imagine that for devs specializing in one famous reptile language this whole machine is very easy (first blood in user and root taken in less than half an hour).
    In summary - nice experience, especially initial part.

    m4rc1n

  • Type your comment> @Hilbert said:

    I thought that was a super fun box, I enjoyed every step

    user: If you understand what it's doing, you don't even need to write a line of code to reverse it

    root: I'm apparently opposite of everyone so far, as I thought root (I went intended way) was significantly harder than user (Thanks to @bertalting for the help), so if that's you, don't get discouraged by the comments, you aren't alone. If you are stuck you might want to Watch where you are looking. Also, I had to create the /***/S**/ directory for some reason which I don't understand, but if you are getting that error, try that.

    I think someone has deleted the S.. folder so that you must create it again. There are some trolls around on every box :)

    Hack The Box

  • Anyone care to PM me a nudge for the fuzzing of the directory? Tried ffuz and wfuzz with a lot of lists, but no fun so far

  • edited December 2019

    Spoiler Removed

    Oops, my bad. Thought I was completely off so it wouldn't be a spoiler LOL

    hackerB31

  • Spoiler Removed

  • Получил root.

    Машина очень полезная. Много нового узналю

    Спасибо за создание @clubby789 . Ощущение двоякое в одном месте машина легка в другом сложна. Для ее решение нужно понимание яп python и bash

    до пользователя нужно найти на сайте где расположен скрытый файл .py изучить его и понять как можно это использовать

    изучите код и поймите что можно использовать и сделайте нагрузку. и получите оболочку

    user: изучите скрипт поймите как он шифрует и попробуйте расшифровать. кодить не надо скрипт все сам делает. процедуру нужно повторить несколько раз

    root: знания Bash и зацикливание вам помогут в открытие файла.

  • Hi guys can I have a nudge for encrypted

  • If you know Python, this machine would be a piece of cake. Otherwise, you may suffer.

    This machine is purely CTF in my opinion so I really didn't like it.

    Initial entry: find the path, fffuf is the way to go.

    User: Python (you will probably need to write code here)

    Root: Python (reading is enough)

    Good luck!

    Hack The Box

    OSCE | OSCP | CRTE | GPEN | eCPTX | CREST CRT | GDAT | eCPPTv2 | GWAPT | OSWP | ECSA (Practical)

  • here my problem User: Python (you will probably need to write code here)

  • Rooted. My experience:
    Foothold: Need a little bit of clever wfuzz. Just look at the 404 error its giving if you need hint...
    User: The hardest one in this machine. I spend a whole day for it... You will need programming and math skills for decrypting it.
    Root: Really easy once you do the user. Remember, if you cannot do a thing quickly, that's why scripts were invented....

    Feel free to PM me for hints. But I won't be available for whole day. So be patient if I don't reply...

  • edited December 2019

    I had a lot of fun with this one. Took some time, since after I had some network issues with netcat keeping open, I created my own "reverse-shell" for this.

    It's far from good, but I thought the idea was so laughable, that i just had to do it.

    You can see it at : https://github.com/blaudoom/HTB_obscurity
    zip protected by root-flag

    Also spent too much time not reading filenames properly and mistook the py in the home folder for the server-script. I was looking all over the server for the file :P

    @clubby789 Good first box IMO

    Edit: Have to add that, eventough the root was easy, it was very current.

    Blaudoom
    Discord: Blaudoom#1254

  • edited December 2019

    Rooted!

    Initial FootHold:

    • Read the webpage and you will find something interesting but with not known path (any fuzzing tool will help you)
    • Read code and exploit

    User:

    • Brute force is not necessary

    Root:

    • Really?
  • I don't know if I'd rate this as a pure CTF. It's a lot of code reading, but that's part of pentesting real world systems too. It just seems to be more condensed here. At least it's not in some obscure language.

    Foothold: Any fuzzer should work. I used wfuzz. Running the .py locally for debugging is a huge help.
    User: More code reading. Take the time to understand the math being done. Ignore the context of what it says is being done, and just focus on the math.
    Root: More code reading... pretty simple.

    As a developer, I enjoy using someone's code against them. Thanks @clubby789, that was fun.

  • edited December 2019

    I've read every post 3 times, tried several wordlist, even the full r**ky*u.txt with and without ext. I am doing something wrong and can't figure out what i need to do. will someone pm me a nudge?

    Thanks - got it

  • edited December 2019

    Rooted :)

    Fun and challenging box

  • Type your comment> @102707 said:

    I've read every post 3 times, tried several wordlist, even the full r**ky*u.txt with and without ext. I am doing something wrong and can't figure out what i need to do. will someone pm me a nudge?

    I used d.td.t..n to find something very interesting. Parseltongue, what's that? Time to learn. Yes, I'm still struggling :-)

    sx02089

  • Type your comment> @sulcud said:

    Rooted!

    Initial FootHold:

    • Read the webpage and you will find something interesting but with not known path (any fuzzing tool will help you)
    • Read code and exploit

    User:

    • Brute force is not necessary

    Root:

    • Really?

    Just what i thought when i did root too :D

    0byte

  • edited December 2019

    .

  • which wordlist to use while fuzzing ? tried default wfuzz ,not giving any result

  • Thanks to the creator of the box, but I did not appreciate this machine at all.

    [email protected]:/root# id
    uid=0(root) gid=0(root) groups=0(root)
    

    The user part is relatively simple .. This is subjective of course .. Otherwise for the root part you will not have too much complication.

    Thanks ! @clubby789

  • Type your comment> @wolfflow27 said:

    which wordlist to use while fuzzing ? tried default wfuzz ,not giving any result

    ffuf works really well for initial fuzzing.

    Hack The Box

  • edited December 2019

    Rooted... learned few things... Was great! Seems i know a lot better Py then bash... as i used Py script for root..... Need to close gaps in bash

    Password for root really funny :)

    Feel free to ask if struggle....

  • Seem to be having a problem with the initial fuzzing, don't seem to be able to find the directory

  • Type your comment> @mosaaed said:

    here my problem User: Python (you will probably need to write code here)

    You can solve it without writing a single line of code.Just use what you already have and derive what you need

    trollzorftw

  • Spoiler Removed

  • Having trouble with the initial fuzz. Using typical approaches that have worked on other machines and returning nothing. I've seen the hint about the 404 message, but not sure how to use it. Any nudge would be much appreciated. Thanks.

  • edited December 2019

    My experience with this box was interesting. This is probably the first CTF-Like box I had done, so it was definitely an experience for me.

    Foothold: Not really much to say, forgetting a few basics along the way, but fairly straightforward.

    User: Dealing with a corrupt file made my life a little harder than it probably should have been, but I managed to manually do what I needed by understanding the logic and do some open sourcing along the way.

    Root: Um, not really much to say, was a little disappointed, but still fun.

    Overall, not super difficult for a beginner like me. Learnt one or two things along the way, but nonetheless it was a fun intro box to CTF-Like ones.

    Thanks to @Hilbert for putting up with my ramblings and @bertalting for helping me fix my initial foothold issue.

    Spknoxy

  • Type your comment> @c00de said:

    Rooted, thanks the most to @atii22 for helping me
    anyone needs help you can contact me

    i have got an obscura page... now what should i do i cant find anything

  • Type your comment> @DHIRAL said:

    Rooted. My experience:
    Foothold: Need a little bit of clever wfuzz. Just look at the 404 error its giving if you need hint...
    User: The hardest one in this machine. I spend a whole day for it... You will need programming and math skills for decrypting it.
    Root: Really easy once you do the user. Remember, if you cannot do a thing quickly, that's why scripts were invented....

    Feel free to PM me for hints. But I won't be available for whole day. So be patient if I don't reply...

    have got an obscura page... now what should i do i cant find anything

  • Got root :)
    Thanks @clubby789 for the box, so much fun!
    Also learn some new things

    N0rt0N

Sign In to comment.