Fatty

edited February 7 in Machines

Round two since there were some server issues the first time around.

Really looking forward to this machine, even though I'm positive it is going to be a doozy. Good luck everyone! :smile:


Hack The Box
defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

Tagged:
«13456

Comments

  • edited February 1

    ... and ... Hrm, box indicated as up, but pings return destination unreachable. Before we all go crazy with blind nmap rage would this be considered part of the Insane-ity? :-)

    Or it's just down for us-vip-3.

  • eu-vip 12 also no response to ping ...hm

  • Unless this requires a "knock" to open ports I think the VM is dead.

  • edited February 1

    Interesting. Reloaded active machines status page, now saw a "play" button, clicked that and got a red "Machine not found" error message.

    I'm assuming some technical issue with deploying Fatty. No worries.

    From Discord #announcements:

    HTB Staff are aware of the issues with the new box(fatty) please be patient.

  • edited February 1

    From discord:

    g0blinToday at 8:14 PM
    Heads up, new box Fatty is currently not functioning across all labs. I'm travelling atm but will look in to it ASAP. The release may be delayed until tomorrow, as I don't want to rush a fix after a day of travel.

  • unable to start the box on eu vip 19. Just says machine not found

  • edited February 1

    Let's wait for tomorrow

    Hack The Box

  • Please read the discussion description everyone!


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • If Patents has a difficulty rating of 7.9/10, I can't imagine Fatty having a difficulty rating of 10/10. Must be real insane.

    limbernie
    Write-ups of retired machines

  • @limbernie said:

    If Patents has a difficulty rating of 7.9/10, I can't imagine Fatty having a difficulty rating of 10/10. Must be real insane.

    I agree. I think I am going to wait until this one retires :smile: RE was hard enough!

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Rereleasing at the normal time tonight, everyone ready?

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • edited February 8

    Spoiler Removed

  • Well, if Im being able to access to the console already there should be ppl close to claim user :P

    Hack The Box

  • Spoiler Removed

  • edited February 9

    Well. 50pts for a reason.

    Update: "Wonky" would describe this client pretty well, I think.

    Update #2: TIL how to decompile a jar file... Is it a rabbit hole to think we need to alter this (if possible or is signing an issue?) to work around some things? Still don't see how commands/messages are formatted/encoded/etc to or from server. Curious to see that.

  • edited February 9

    So far this box seems really good. Congrats to @jkr on root!

    Edit: Feels very close to user. I'm missing something...

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • edited February 10
    I haven't got user yet, but I'm enjoying this VERY MUCH so far.

    Update: got user now :) awesome box
  • I am enjoying it too. I got completely sucked into it yesterday after having thought "Ugh. Java client." No idea wtf I'm doing, but I'm having fun doing it.

  • edited February 13

    I just got a shell and cannot read user.txt despite I can run other commands, what a trolling machine hehe

    nvm got user.txt, on to root!

    Edit: and rooted.

    Hack The Box

  • edited February 9

    (Still on foothold stage): Can one actually enable the debug output? I change the value to true and it re-compiles and runs, but never see output from S-----.out.p------(). Seems like it would be useful. Cannot really change anything else without errors.

    Update: Hrm. Even commenting out the "if" checks no output. Does something block or redirect "S-----.out.p------()" elsewhere?

    Update#2: Apparently it helps to understand that re-compiling != saving back to jar. /eyeroll

  • edited February 13

    Got user, root to go

    badge

  • Spent a few hours fixing the java client. Now I have it running but can't figure out what to do next. Can anyone lend me some hints...

  • Got user! Fix the client, and get the server program. Audit code of server, you can see typical vulnerability in java, just exploit it.
    Road to root, can't figure next step, can anyone share some bints.

  • I think unable to do this box without java spring developer knowledge.

  • Type your comment> @rholas said:

    I think unable to do this box without java spring developer knowledge.

    I'm planning to take advanced Java course in Udemy lol ;)

  • anyone have problems with downloading the jar file?

  • Type your comment> @hackbarx said:

    Got user! Fix the client, and get the server program. Audit code of server, you can see typical vulnerability in java, just exploit it.
    Road to root, can't figure next step, can anyone share some bints.

    I have fixed the client. Do i need admin role to get the server code?

    For asking help, please describe what you have tried so far, so i don't spoil too much.
    If you believe i was able to help, please provide feedback by giving respect:
    https://www.hackthebox.eu/home/users/profile/122308

  • Taken user. A really great box, forced me to leave my comfort zone but didn't leave me guessing (except for a few minutes).

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Type your comment> @clubby789 said:

    Taken user. A really great box, forced me to leave my comfort zone but didn't leave me guessing (except for a few minutes).

    Completely agree. A lot of work (especially for my rusty java skills), but so far, no CTF magic, just well chained vulnerabilities. If root is as good as user or better , it will be indeed one awesome box.

  • Getting this error in Java client Caused by: java.lang.SecurityException: SHA-256 digest error for b....xml | already change the settings but don't seem to get it to work any help is appreciated!

Sign In to comment.