Magic

1111214161721

Comments

  • Finally!!

    [email protected]:/root# hostname;id
    ubuntu
    uid=0(root) gid=0(root) groups=0(root)
    

    Root was basic, but very interesting to find it.
    No hints from me. I'm pretty sure that here is enough hints.

    Kirzaks

  • I am stuck at root. Been looking at a script that will clean stuff up and see some interesting "Search and destroy" instructions. However I have no idea how to inject my own code in there.
    Not sure if it is even the right path.

  • I need a little nudge for root, I think I found the binary but I dont know what to do with it now

  • finally rooted :smiley:

    Very interesting box, sure learned alot from it...
    Kudos to box owner.

    Hack The Box

  • edited May 2020

    just trying to get user, i think im gonna found it

    666snippet

  • I’m stuck with root, found something but doesn’t look right, could I have a little help? DM

  • help with root please DM

    666snippet

  • Had some trouble with root but in the end made it. Shout out to all the people who helped me, thanks a ton guys :) , Open for hints :)

  • stuck with the upload form, tried different approaches (using just magic, concatenating two files) but can't get RCE, let alone a reverse shell! a nudge would be appreciated :(

  • @federella said:

    stuck with the upload form, tried different approaches (using just magic, concatenating two files) but can't get RCE, let alone a reverse shell! a nudge would be appreciated :(

    You can get a good example of how to bypass this by googling what you are trying to do and going to a gitbook page.

    Ideally you want to be uploading an actual valid image.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • This was a very fun machine, there are a lot of good hints here. I have a couple more below:

    Foothold: OWASP Top 10 and hide something in plain sight

    User: If at first you don't succeed try again with something you already know

    Root: You can sometimes trick a system into looking at something it shouldn't

    PM me if you need any hints

  • Type your comment

  • Hi all.

    Get the user quite easy. there are at least two solutions to get in :)
    lovely box.

    But need some hint about root.

    As i see gdb is present. is we need to look in this direction?

    also, we have one +s file, witch allowed to our grp.

    it this ok?

  • Could not attach to process. If your uid matches the uid of the target
    process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
    again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
    ptrace: Operation not permitted.

    in my local solytion alredy found, but, as always, not in the server)

  • Done. Was really struggling with the root part for some hours because I misunderstood how that whole thing worked.

    Very nice box!

    emjay12

  • @swagcat228 said:

    Could not attach to process. If your uid matches the uid of the target
    process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
    again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
    ptrace: Operation not permitted.

    in my local solytion alredy found, but, as always, not in the server)

    You might be overthinking this. You don't need to RE anything for this box. Have a look at what its doing and see if you can meddle with it.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Maybe an issue?

    Hi, i'm stuck with the upload of image... i tried all way to upload my rev, but if i upload a clean image too, catch ever and ever the "alert" of png, jpg extension.

    Anyone same issue??

  • Hi All. Working on root. When trying to upgrade the shell, it seems I am now getting an error that won't allow /bin/sh commands. Anyone having that problem or know how I might be able to get around? This was not an issue for the last few days.

  • Root Dance - learned an interesting method regarding the uploading.

  • Hello,

    Could I have an hint on the initial foothold ?
    I can upload a file that contains PHP code, but I haven't found a way to make it end with a executable extension. (Null bytes, double extension, content-type didn't work).

    I haven't found any PHP file that does inclusion and would allow an RCE by including the image with php code.

    I have also tried to include php instructions directly into the page since quotes aren't filtered in the filename but it didn't work either.

    I am a bit lost about the direction I should take.

  • edited May 2020

    Obviously, I find what I am looking just after asking for help 🙄.
    Search for OWASP documentation about file upload. There are some strange configuration about what get to be executed on a server.

  • stuck on www-root :/

  • And root! Great box from start to finish.

    Happy to answer messages for hints.

    jpredo

  • I totally agree, I also enjoyed the box and had fun. Thanks.
  • Sanity check, someone please? I may be into a rabbit hole trying to root... DM if possible

  • ROOTED.

    Learned alot on this one! Thanks @TRX

    Hyst3resis

  • Incredibly satisfying box for me. Although the frustration at getting initial foothold was maddening, the moment you realize how to get it, will give satisfaction in awesome waves ;). Root was very routine I think. The user part was really great. Thank you for this box.

    a3n3a

  • Great and funny box!

    FOOTHOLD: Burp, exiftool and curl will help you. After, a strong reverse shell is necessary.
    USER: An interesting service is running, not reachable before... And think easy way!
    ROOT: suid3num, strings or pspy64, and find the right "path"!

    Fr0Ggi3sOnTour

  • rooted, nice and straighforward box

    Parttimesecguy

  • rooted the box! but root.txt doesn't seem to have the right Hash.
    Did somebody experience the same Thing ?

Sign In to comment.