Travel

1246

Comments

  • Finally got root ,
    this box is very very good and realistic .
    Thanks for the Authors ^_^

  • What a journey! But it was definitely worth it! Great job @xct and @jkr!
    And thanks to @TheWorld and @Neo2SHYAlien for your nudges.
    Some additional hints to what is already found here:
    foothold: A single byte can make a huge difference. Don't be a private member like I did first but a public one.
    User: usual enum
    Root: After user you'll pretty instantly find something juicy which is the way forward. Check with google how this thing may relate to linux authentication and how you can leverage that for your success.
    As always: PM for hints, this box is a beast ;)

  • Is there anyone else here, who spent days just trying to find something? I've used multiple directory scanning tools, that come up with nothing.

  • Finally Rooted !
    Thank to everyone that gave me hints
    That was the hardest box that I've done so far.

    PM me for nudge.

  • Rooted.

    I think that was the best box I've ever played on HTB. Both user and root seriously challenged my creativity. I learned SO much, thank you guys for making this. Incredible.

    Hack The Box

  • This one was insane!
    I would have never done this without help!

    User : Once you find that S**F think what can you request, do not point to yourself.
    Once you got it, Google "S**F m******e php"
    Root : user permission, query and groups
  • edited June 20

    If anyone could offer some sanity checking for my foothold method it would be appreciated.

    I have a pretty good idea of what I want to do with m******** and I can see my results in d*******p but i'm not getting anything to happen with my payload, it just gets re-overwritten.

    Edit: Thanks straylight

  • i have got these 2 files r**_********.php ********.php need help in command injection

  • Spoiler Removed

  • can anyone help with m********d part ??

    azeroth

  • Rooted. Whew. That was a *hard* box. The initial foothold was the trickiest, and I admit I needed some great nudges from @TazWake @gunroot and @Roinard. Thanks to all of you, much respect will be coming. Once I had that it was a matter of chugging through the steps.

    I don't have anything to add to what has already been posted here.

    pugpug

  • That was a total beast and thanks to the folks that stayed with me through that one. For some reason this gave me the most problems of all the boxes I've done and I'd like to understand why. I'm interested in the mindset and approach taken for that initial foothold. Please DM if you have a write up and would be willing to share so I don't have to wait for the machine to retire - it's really bugging me. I've rooted and can provide evidence so you know I'm not looking for spoilers and cheating.

    corpnobbs
    OSCP | OSWP | so much more to learn ...

  • Most difficult box I've completed; definitely needed some help along the way.
    If you need a push, let me know.

    anoNym1ty

  • Very tough to get foothold, had to come back many times with a fresh head and re-think.
    PE is fantastic, read and learned a lot on the way. Something i heard about but never actually did.
    I would rate the user flag as insane, at least it felt sometimes that i would go in that direction ;=)

  • @dieterh said:

    Very tough to get foothold, had to come back many times with a fresh head and re-think.
    PE is fantastic, read and learned a lot on the way. Something i heard about but never actually did.
    I would rate the user flag as insane, at least it felt sometimes that i would go in that direction ;=)

    I agree.

    Privesc was enjoyable but much more straight forward than user. Getting that initial foothold is super hard work.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Spoiler Removed

    lebutter
    eCPPT | OSCP

  • Wow what a trip. Took me a few days but I LOVE boxes like this. Custom exploitation, pouring through source code, reading pages of documentation. This is why we do it.
    Thank you @xct and @jkr, great box. Probably going to clean up my disgusting travel directory, update my notes, and digest all of that.

    Also @applepyguy, thanks for putting up with me and helping me through it.

    rub1ks
    Find me on Discord: rub1ks #4045

  • edited July 4

    Type your comment> @lebutter said:

    Am i the only one who is trying to get a replica of the blog setup locally ? The Simplepie stuff is NOT working in my case and i have no idead why... i'm feeding it the original same file, it's pretty much 100% same code as from the server... yet it doesn't display the travels.

    You may lookup the error. A simple google quickly revealed for me what I was missing.

    Hint: It was not directly related to Simplepie but m*******e - missing as a module. You also find hints to it in the "main" source file.

    Good luck :)

  • edited July 4

    Thanks... but i'm not using m****, i'm basically running the simplest version of it, i've got it down to pretty much the same as what they show on tutos... yet, it doesn't query that feed file and doesn't return anything. No error either. So far i've basically spent most of my time trying to create a freaking one page wordpress blog, this is driving me nuts.

    lebutter
    eCPPT | OSCP

  • Finally got it. I never managed to get my replica of the bl** working but that wasn't completely necessary. This server was insane for me.

    The foothold is definitely the hardest. Many times i though i was going too much down a rabbit hole and thought myself thinking "this is too convoluted", when buried into source code to my neck... which for me is tricky as i'm not a developper. I struggle to follow code in big code bases.

    User and root are easier although not that straight forward as it relies on a service i hate.

    lebutter
    eCPPT | OSCP

  • Rooted it! The foothold was very, very hard, but very, very enjoyable! Thanks @xct and @jkr for this awesome box! Also thanks @Roinard and @anoNym1ty for the nudges!
    If you need a small nudge, feel free to send me a PM!

    ArtemisFY
    OSCP

  • Is anyone doing this box?

  • Type your comment> @all said:

    Is anyone doing this box?

    I was last night, got a bit stuck but planning on having another crack at it!

    jaxigt

  • Type your comment> @JaXigt said:

    Type your comment> @all said:

    Is anyone doing this box?

    I was last night, got a bit stuck but planning on having another crack at it!

    OK, great. Looked through threads here and hints are too cryptic. My line of thought is perhaps there is something there in r** page and j**n *pi

  • @all said:

    OK, great. Looked through threads here and hints are too cryptic. My line of thought is perhaps there is something there in r** page and j**n *pi

    It kind of depends on where you are stuck. User is a lot harder than root here.

    If you are looking for user - enumerate it a lot, find something, dump it and read it. By reading it you should get an idea about what is vulnerable in the code, then you can build an attack to exploit this. I found this step very hard with a lot of trial and error to get the right syntax.

    Eventually, this gets you a foothold. More enumeration, find something which allows you to connect properly with a real shell and you can get user. Privesc is, compared to that, quite straight forward.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Tough, but awesome experience. Props to the makers. PM for nudges.

  • edited July 24

    Hello, can someone give me a hint on the "basic enumeration" after the first shell. I found one password and some uncrackable password hashes. That's basically it - I dont know how to proceed from here.

    Edit: Somehow hashcat did not work for me. I used john instead and it worked. Thanks @TazWake

    doxxos

  • @doxxos said:

    Hello, can someone give me a hint on the "basic enumeration" after the first shell. I found one password and some uncrackable password hashes. That's basically it - I dont know how to proceed from here.

    Have a look for other ones - maybe something someone backed up somewhere.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Would someone like to nudge me on foothold. I have enumerated directories and scanned several different ways.

  • @baitin said:

    Would someone like to nudge me on foothold. I have enumerated directories and scanned several different ways.

    Fuzz a lot. Find something which looks like a repo, download it. Read what it contains. Build an attack based on what it contains (and the source code to something it points to). Exploit it. Get a shell.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

Sign In to comment.