Official Blunder Discussion

1101113151621

Comments

  • Super fun box, very straightforward and the machine felt "lived in" which is nice. I am so rusty and made so many dumb mistakes, but 2'ish hours isnt too bad from boot to root after 6month break. yay learning!

    Foothold: enum the main service and its vulns, fuzz for some specific file extensions to find juicy info, keep your cool, and dont forget to bring your towel. Defaults can be your downfall...

    User: Directory enum (but not too far from where you start with your foothold account), hashcat or pyrit; beware: thar be red fish!

    Root: There is a good john hammond or liveoverflow video (cant remember which) on how to do the root privesc with an indepth explanation, it was released in late 2019 iirc; gtfo of the recycling bins, and keep it to 1line.

    PM me if you need some assistance, but I might be slow to respond.

  • The user was a bit tricky! once you find the username search for how to use cewl, and once you use it things should start to click!

  • Spoiler Removed

  • @himutyagi09 said:
    Spoiler Removed

    Watch the spoilers, please. :-D

    I saw your post, before it was removed, and was having the same issue you were, but then saw several people in the forums saying they didn't even use that tool at all but instead used a script developed by someone else. Do some Googling and see if you can find other tools which might exploit the vulnerability you found. When you find another tool, look the code over to see if anything needs to be changed before you run it. Then try using that other tool instead.

    One other thing, I think it's possible the reason the exploit fails sometimes may have something to do with "leftover" .******** files not being cleaned up. If that's the case, maybe try rebooting the target system, setting up a ping process to see when it goes down (rebooting) and when it comes back up (reboot complete), and then send your exploit after it's back up with the network online. The exploit may work more reliably on a "freshly rebooted" system.

    Best of luck!

  • got root ..... need any help PM me

  • Finally rooted. I had some trouble getting a stable shell in the end. I had a problem elevating from the h user to root. If you are having problem with seeing your privileges, figure out how to get a full nc shell.

    kneedeep

    Reality is often disappointing.

  • is there a wordlist recommendation?

  • Hi, Need a little nudge on login...

  • Need a bit help for initial. I found the username in a file using web crawler. I then used cewl but I am not getting any matches . A nudge would help

  • edited July 2020

    Spoiler Removed

  • edited July 2020

    @juanhk said:

    SPOILERS

    watch the spoilers with that username and maybe the command.

    To answer your question, it's (basically) the same reason you didn't have a prompt or anything for your shell. Look up how to upgrade your shell to a full TTY. I've had a lot of luck using python and python3.

    Cyberpathogen

  • Need a bit of assistance on this one please!

    I have the credentials of user "f" and can login, upload, etc. I have tried the 4****.py script but when I issue a command it does nothing. I tried to wget and i tail'ed my access.log and saw nothing. Tried ipconfig, whoami, nothing.

    So do I need to do this manually, or is there something in the python script that I am missing?

    Cheers!!

  • @mechs85 said:

    So do I need to do this manually, or is there something in the python script that I am missing?

    I never managed a manual exploit here but I found MSF very effective.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Type your comment> @TazWake said:

    @mechs85 said:

    So do I need to do this manually, or is there something in the python script that I am missing?

    I never managed a manual exploit here but I found MSF very effective.

    Thanks, I did it manually in the end.

    Now trying to crack hash

  • @mechs85 said:

    Thanks, I did it manually in the end.

    Now trying to crack hash

    Awesome. Good luck.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited July 2020

    All done on this box now.

    Tips:

    Foothold:
    Enumerate properly, gobuster, dirb, dirbuster, etc
    Don't be too Cewl for school
    .py route may not work, so take 10 mins and understand the exploit. Use the same methodology and you'll get it.

    User:
    Think you found it? Maybe, if you feel like you're going crazy, stop. Look around again

    Root:
    Google what looks weird. Not seen this exploit before, but it's eye-opening. But very very easy

  • edited July 2020

    Hey, I've done the box but now I'm tyring to get this done manually, I think I know everything thats is needed to do it but I can't get code execution my files are one server in directory i can find it in browser following the path but when I pass args to file nothing happening, obviously I'm doing something wrong but I don't know what. Could someone help me with that?
    Edit: Nevermind, of course just when I give up I learned that my access file need one additional new line at the end.
    So I did it, I've done it manually and automatic way. Takes my whole like 3-5h but Im noob so for my it is quite good time. Super fun for me especially first step. Root was easy because I did know about this, and now first what I'm doing is check that. :smile: overall fun box for me

  • I had a ton of fun, and learned even more on this on this box!! Thank you.

    My question is how do I give respect to someone if they helped me out? I can't seem to figure out where or how I do that to a user account.

    Thank you to all the hint providers in this thread, the box creator @egotisticalSW and especially to @TazWake for the extra nudges to get me across the finish line!

  • Hello, can someone PM me to explain what to do for the initial foothold?

  • finally rooted, getting foothold was fun part after that its easy.

  • Having a lot of trouble getting the shell manually. I'm aware of the POCs and I think it's pretty clear what they are doing. My problem is this: I send a request to upload an image with an acceptable file extension. I capture that request in burp and change the file and it's contents in an effort to upload a new .htac**** file. Despite the fact that I capture the request in burp, when I forward the modified request on, the app still responds that I can only upload files with specific extensions, which tells me this validation is happening on the server. If that's the case, how are people getting this new file uploaded?

  • Rooted!

    That was actually really interesting a great box to learn some basics, tune my eyes and thought process in, this was the first box I've looked at in detail since going through starting Point and it took me probably 7 hours split over a few sessions, largely due to unfamiliarity of tools, Yes others have done it quicker but as someone who has just completed their first box, I was more then happy.

    For those that are stuck feel free to pm and I'll try and lightly point you in the right direction if you tell me what you've tried and what you've found etc. I'll admit, there was a few times i felt like shouting out for help but glad i stuck with it and I’ll re-iterate what others have said previously

    If you read this forum post carefully all the information you need for every step is listed.

    Footholding was a tad tricky, i spotted what i needed to do instantly but doing it took a bit of time cobbling together.

    Beware of rabbit holes, I fell into more than one or two.

    With the right tool / script / CVE / Knowledge; Each stage could be completed within 10-15 minutes so if what your doing is trying to take longer you’re probably doing something wrong.

  • hey guys. I'm very stuck with login. I think i have the correct user "f....................." but i don't know how i can get the password. I've read i have to do my own wordlist but don't have luck. Am I on the correct path with the user? Someone can tell me any hint to get the password?

  • Have issue with msf....
    Here my log:
    [] Started reverse TCP handler on 10.10.14.187:4444
    [+] Logged in as: ******
    [
    ] Retrieving UUID...
    [] Uploading XnmMCeRUYz.png...
    [
    ] Uploading .htaccess...
    [] Executing XnmMCeRUYz.png...
    [!] This exploit may require manual cleanup of '.htaccess' on the target
    [
    ] Exploit completed, but no session was created.

  • @herrlestrate said:

    Have issue with msf....

    This gets asked every few days. I don't have an answer because I never experienced this issue. Generally, it means things like the payload needs to be changed.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • I keep running into this issue in metasploit module, if somone could help me out, i would greatly appreciate it

    I have censored the spoilers

    I keep running into this issue

    Started reverse TCP handler on 192.168.43.183:4444
    [+] Logged in as: ******
    [] Retrieving UUID...
    [] Uploading vqBjNbYrIS.png...
    [] Uploading .htaccess...
    [] Executing vqBjNbYrIS.png...
    [!] This exploit may require manual cleanup of '.htaccess' on the target
    [*] Exploit completed, but no session was created.

    Someone please help me. I am new to htb
  • Type your comment> @Archangel78 said:

    I keep running into this issue in metasploit module, if somone could help me out, i would greatly appreciate it

    I have censored the spoilers

    I keep running into this issue

    Started reverse TCP handler on 192.168.43.183:4444
    [+] Logged in as: ******
    [] Retrieving UUID...
    [] Uploading vqBjNbYrIS.png...
    [] Uploading .htaccess...
    [] Executing vqBjNbYrIS.png...
    [!] This exploit may require manual cleanup of '.htaccess' on the target
    [*] Exploit completed, but no session was created.

    Someone please help me. I am new to htb

    Check your LHOST IP

  • I have seen that many people here are using MSF module to exploit the vulnerability. You can choose that as your wish.
    But many are not configuring LHOST properly. Check options before exploit.

  • edited July 2020

    Spoiler Removed

    Hack The Box
    Silence, i'll hack you!! ;-)

  • Type your comment> @Archangel78 said:
    >
    >
    > I keep running into this issue in metasploit module, if somone could help me out, i would greatly appreciate it
    >
    > I have censored the spoilers
    >
    > I keep running into this issue
    >
    > Started reverse TCP handler on 192.168.43.183:4444
    > [+] Logged in as: ******
    > [] Retrieving UUID...
    > [] Uploading vqBjNbYrIS.png...
    > [] Uploading .htaccess...
    > [] Executing vqBjNbYrIS.png...
    > [!] This exploit may require manual cleanup of '.htaccess' on the target
    > [*] Exploit completed, but no session was created.
    >
    > Someone please help me. I am new to htb
    >


    Hey bud. Welcome to HTB.

    You should consider your VPN IP address instead of LAN IP address for anything inside HTB.
    Your tun0 (VPN) IP address will be something like 10.10.14.xx .
    Use that in your msf options instead of 192.168.xx.xx . You can do that.
    Good luck ;)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

Sign In to comment.