Traceback

1212224262730

Comments

  • Rooted this box finally!!! Learned some new tricks.

    Here are some hints:

    Foothold

    • OSINT is your friend
    • Search for the right script
    • Login and reverse shell

    User

    • Get the right shell (output)
    • Enumerate
    • You gotta love it
    • Reverse shell it

    Root

    • Listen carefully to all processes
    • See how to manipulate
    • Perfect timing is needed

    A special thanks to @s1gh for your help.

    If anyone need help on this box you can PM me, I'll give you a hint. But please be clear to me what you already did and where you are stuck now.

    Thanks @Xh4H for the box

    Hack The Box
    Silence, i'll hack you!! ;-)

  • Have been trying to get root for a bit, I can execute a reverse shell no problem using the files / process, but I cannot put my ssh file in the root location, or cp the root flag using the same method.

    I get a message permission denied, something like this: "cannot stat '/root/root.txt': Permission denied"

    Can anyone give me an idea why? I am executing from sysadmin shell, it's super frustrating! haha.

  • For the first step, which is entering the machine, pay close attention to the response of the web page, analyze the message and google.
    For the User: simple linux enumeration will give you a lot of information
    For Root: Analyze the processes of the machines they will give you a lot of information, pspy can be your friend in this step.
    Any questions can call me

  • @chicxulub said:

    Have been trying to get root for a bit, I can execute a reverse shell no problem using the files / process,

    If you can get a reverse shell that's the job done. Not every box allows every possible combination of attacks.

    but I cannot put my ssh file in the root location, or cp the root flag using the same method.

    Syntax and timing might be the issue here.

    I get a message permission denied, something like this: "cannot stat '/root/root.txt': Permission denied"

    That message implies the account trying to do something doesn't have the right privileges to do what you are trying to do.

    Can anyone give me an idea why? I am executing from sysadmin shell, it's super frustrating! haha.

    Without knowing what you've done, its hard to say. If you are executing the commands from sysadmin, you don't have permissions to see the root files. If you are doing it by exploiting a service which runs as root, there may be some other issues in place. It largely depends on how much you care to determine how much effort you'd bother putting in to find out what it causing it.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @TazWake yeah I have been doing it by exploiting the service using the Up-Mo. files. I meant that I could get a reverse shell by exploiting the service, but I can't cp the flag or add my ssh in there to ssh In. Seems like no matter how fast I do it, haha.

    I have been echoing in my commands into the files, instead of editing the files manually. Do my user permissions carry through if I echo the commands to add to file, instead of doing it manually? My goddamn vi commands are all wonky trying to edit manually.

    It must be some little thing but it is bugging me haha.

  • @chicxulub said:

    @TazWake yeah I have been doing it by exploiting the service using the Up-Mo. files. I meant that I could get a reverse shell by exploiting the service, but I can't cp the flag or add my ssh in there to ssh In.

    Do you mean the shell you are getting is a low-priv shell?

    Seems like no matter how fast I do it, haha.

    Linux has a command which can help you win this race while you sit back and watch.

    I have been echoing in my commands into the files, instead of editing the files manually. Do my user permissions carry through if I echo the commands to add to file, instead of doing it manually? My goddamn vi commands are all wonky trying to edit manually.

    So, in theory, the privs you & the file have shouldn't matter. If you can modify the correct file it is triggered by a root process and the resulting exploitation should be as root.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @TazWake I know, it's wild, it has been stumping me for quite some time.

    Yeah I will insert my nc one liner into the file, trigger it, pop a shell and it will be sysadmin again. It works every time using any of the four or five files that are there.

    But when I try to do the same thing like cp the flag to a different location or add my ssh to the root location, I receive that permission denied message. I am going to try and watch it, I thought about doing that earlier but didn't do it. That may be the key. Maybe it is in fact working sometimes, I just am not realizing it.

  • @chicxulub said:

    @TazWake I know, it's wild, it has been stumping me for quite some time.

    Yeah I will insert my nc one liner into the file, trigger it, pop a shell and it will be sysadmin again. It works every time using any of the four or five files that are there.

    Ok, something isn't working correctly.

    But when I try to do the same thing like cp the flag to a different location or add my ssh to the root location, I receive that permission denied message. I am going to try and watch it, I thought about doing that earlier but didn't do it. That may be the key. Maybe it is in fact working sometimes, I just am not realizing it.

    The attack needs to be in the correct place and triggered in the correct way for it to work. It should be simple but as is so often the case, that just means lots of things can still go wrong.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @TazWake hmm.. yes, the correct place, perhaps that is it. Another reason why I was wondering about the echoing instead of manual edit, but I figured it shouldn't matter.

    It is for sure some little thing that I am doing wrong that I haven't realized yet, but I will eventually. One of those things you get and you're like "god how did I miss that". Thank you for your help!

  • After taking a break from HTB - it was nice to get back into with this machine.

  • Quick and easy one.
    Thanks @Xh4H for this fun learning experience.

    Hack The Box

  • Rooted. PM for nudges.

    Initial Foothold: OSINT using the information you find on the homepage for the web server. One of them will work. I suggest saving all their names to a text file and giving them to gobuster to do the heavy lifting. Need a password? How about you read the source code.

    User: Took me way too f**king long because I was trying to be too clever about it. Don't bother with a reverse shell for this stage, save that for once you actually get the user account. Start simple, with a shell. You're gonna need to "learn" a new language to get this shell to work. Also, don't be lazy... read the man page for sudo.

    Root: What processes are running. You probably won't be entirely too familiar with the process running, so do some Googling. Even 10 minutes is enough to get an idea of what you're going to have to do. You'll need two terminals. Don't bother editing any files directly, just append to whatever you wanna edit via >> rather than trying to edit and save. You wont be fast enough.

    Pretty fun box, and I actually enjoyed the CTF elements since they we're done well.

    Cheers @Xh4H

  • am stuck with root, I tried ssh thru web**mn but with no luck

  • I am getting this "load pubkey id_rsa : invalid format" error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?
  • Type your comment> @N00p said:

    am stuck with root, I tried ssh thru web**mn but with no luck

    Finally Rooted

  • @anir08 said:
    I am getting this "load pubkey id_rsa : invalid format" error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

    Try it with different acc

  • Type your comment> @N00p said:
    > (Quote)
    > Try it with different acc

    tried again and now the ssh says
    Warning: Identity file id_rsa not accessible: No such file or directory

    I even checked my public key when I escalated as sys***** abusing the said function.
  • Type your comment> @N00p said:

    @anir08 said:
    I am getting this "load pubkey id_rsa : invalid format" error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

    Try it with different acc

    check perms of authorized_keys should be 600

  • @anir08 said:
    Type your comment> @N00p said:

    (Quote)
    Try it with different acc

    tried again and now the ssh says
    Warning: Identity file id_rsa not accessible: No such file or directory

    I even checked my public key when I escalated as sys***** abusing the said function.

    check perms of authorized_keys should be 600

  • Rooted!
    First box that took me less than a day, also the first that I didn't have to message anyone for specific help about. Forum comments did help me though.
    I thought this was a good box that linked together a few different techniques that had come up in other boxes. It took me a while to think through the steps but it all made sense in the end.
    PM me if you need help!

  • All the hints for foothold are very cool, but!
    Git repository where you'll find the list of shells IS NOT THE AUTHOR'S
    Cause he has just the same repo, but other shells, stuck on it for soooo long lol

    Good game. well played!
    Arrexel

  • after editing the a*********_***s and I try to login, it doesn't accept it. I make sure that the the file is how I left it but nothing happens. Any hints? I also tried to run a lua script but didn't work

  • @AgentWhite said:

    after editing the a*********_***s and I try to login, it doesn't accept it. I make sure that the the file is how I left it but nothing happens. Any hints

    Chances are the file isn't how you left it. A lot of people don't understand the difference between > and >> so have a tendency to overwrite the existing files here.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Well, I didn't realized I was putting the wrong key actually and I feel dumb about it.
    Anyhow, I managed to get the flag but my question is, was this machine only to get root or is there user also?

  • @AgentWhite said:

    Well, I didn't realized I was putting the wrong key actually and I feel dumb about it.
    Anyhow, I managed to get the flag but my question is, was this machine only to get root or is there user also?

    All HTB boxes have both flags, this one is no exception.

    The user account you need to be in to get root has access to the user.txt flag.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • when trying to SSH to 10.10.10.181 I am getting a password prompt. I didn't configure any password while regenerating the ssh keys . Does anyone getting the same message , for a password prompt ?

  • edited April 22

    Got root, Nice machine :)
    If you a nudge, feel free to PM me.

  • @Thanos17 said:

    when trying to SSH to 10.10.10.181 I am getting a password prompt. I didn't configure any password while regenerating the ssh keys . Does anyone getting the same message , for a password prompt ?

    If it is a password prompt from the server, your keys have been overwritten by someone else or haven't been installed correctly.

    If its a password to unlock the key, then either you messed up and did set a password or something really weird is going on.

    If you are using key based authentication (and I assume you've used -i correctly), the only password requests come from your machine, not the server.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Finally user and root. The biggest problem with this machine is the noise caused by other testers :(. I spent like an hour trying to exploit a /shell.php thinking that this was the backdoor...


    image
                         HTB Profile


  • Rooted, nice and easy. Didn't get a shell - no need. Always open to help, as per usual :)

    skunk

    Happy to offer nudges to anyone on boxes I've done, provided you show that you've reasonably tried to understand what the goal is! If I do help, please consider giving respect!

Sign In to comment.