Official Blunder Discussion

1111214161721

Comments

  • Type your comment> @hackgineer said:

    ...
    My question is how do I give respect to someone if they helped me out? I can't seem to figure out where or how I do that to a user account.

    Did you try finding the user account in hackthebox site (not the forum) ?
    If you click on "Member Finder" in the top right corner, just fill in the name and search for user... then, in his profile the first button under his name is: "Give Respect"
    Hope it helps :) respect

    my profile on hackthebox

    Above is a link to my profile. Use the Respect button if u feel like it. I'll do the same.

  • Rooted, foothold and user are nice, root super ez.
    PM for nudges

  • Okey, actually rooted. Good service for noobs (like me).

    If you have trouble with MSF - check your iptables. Maybe your iptables block any INPUT connections. (i had the same problem).

  • rooted... I really overcomplicated this one. User took way to long, just simple enumeration gives you all you need.

    root /escallation tok around 5 minutes. and again, just simple enumeration and google what's right infront of you.

    raystr

  • Finally rooted! This was my first ever box on HTB and it took me 3 days x_x

    Hints:-
    1. Foothold - Fuzz with the most common file extensions you can think of to get the username. After that, just be "cool" ;)
    2. User - Easiest part of the challenge. Investigate the application's files thoroughly.
    3. Root - Took me the most time. Felt so stupid after I found it. The nudges "check your privs" and "root required a single line command" helped a lot.

  • Type your comment> @horatiu said:

    Did you try finding the user account in hackthebox site (not the forum) ?
    If you click on "Member Finder" in the top right corner, just fill in the name and search for user... then, in his profile the first button under his name is: "Give Respect"
    Hope it helps :) respect

    Thank you!! "Respect given"s are complete ;-)

  • Hey everyone
    I have written a python class based on the poc if anybody is interested. I am not sure if it is ok to share here since it could be a spoiler. I would like to give some hints to my fellow beginners:
    1. I banged my head against a wall with the dubdubdub until I looked for bases with data in them.
    2. I cant believe that such a simple out of bounds error in such a vital part was only discovered one year ago.

  • @MarinaD said:

    Hey everyone
    I have written a python class based on the poc if anybody is interested. I am not sure if it is ok to share here since it could be a spoiler.

    I'd be tempted to wait until after the box retires.

    I would like to give some hints to my fellow beginners:
    1. I banged my head against a wall with the dubdubdub until I looked for bases with data in them.
    2. I cant believe that such a simple out of bounds error in such a vital part was only discovered one year ago.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Really fun box, user was definitely the hardest for me but root only takes a few minutes if you manage to avoid the rabbit holes.

    Lots of good advice here already but my 2 cents for user is: you don't need to guess, credentials are right in front of you, but if you want to be like the cool kids and bruteforce this Google might lead you to a .py script that can help you but it doesn't work out of the box. I tried it after with the right credentials and it saw them as incorrect.

  • Any nudges please, I tried all kind of fuzz tools and I know how to exploit the box beyond the foothold but I can't figure out the username.

  • @comdark said:

    Any nudges please, I tried all kind of fuzz tools and I know how to exploit the box beyond the foothold but I can't figure out the username.

    Fuzz for files, not just folders.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited July 2020

    Type your comment> @hackgineer said:

    Type your comment> @horatiu said:

    Did you try finding the user account in hackthebox site (not the forum) ?
    If you click on "Member Finder" in the top right corner, just fill in the name and search for user... then, in his profile the first button under his name is: "Give Respect"
    Hope it helps :) respect

    Thank you!! "Respect given"s are complete ;-)

    I respect you for respecting me :)

    And thank you egotisticalSW for creating this machine... quite fun and chalengeing ... and it helped me understand how to use 'cewl' command to create wordlists with the content of a site ;)

    my profile on hackthebox

    Above is a link to my profile. Use the Respect button if u feel like it. I'll do the same.

  • I spent ages trying to "cool" this thing but the py file doesn't work straight out the box. Luckily a good hint helped me find what I needed to get user. Just google what you need to RCE.

    Once you get user and you run your enum scripts, root will probably take about 5 minutes. Once you find what you need just "hop along".

  • Finally got root, got completely thrown of the simple path to root because of some interesting pictures I found in the user folder. Started looking into an exploit attacking a service on a port... Ah well, learned a ton though

  • Wowee, first box rooted in months because of being super busy at work due to Covid.

    The foothold took me the longest out of any part of that, and root took me literally 10 seconds!
    Happy to give spoiler free hints.

    JohnEagle
    Always happy to help, feel free to drop me a PM for spoiler-free nudges

  • Type your comment> @TazWake said:

    @comdark said:

    Any nudges please, I tried all kind of fuzz tools and I know how to exploit the box beyond the foothold but I can't figure out the username.

    Fuzz for files, not just folders.

    @TazWake , thanks for the hint , got it.

  • anyone help me please i can't connect with vpn its showing this messege

    Tue Jul 28 16:46:00 2020 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2020
    Tue Jul 28 16:46:00 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
    Tue Jul 28 16:46:00 2020 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Tue Jul 28 16:46:00 2020 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Tue Jul 28 16:46:00 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.77.152.102:1337
    Tue Jul 28 16:46:00 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
    Tue Jul 28 16:46:00 2020 UDP link local: (not bound)

  • @odvut said:

    anyone help me please i can't connect with vpn its showing this messege

    Its best to keep questions about connection to the other areas, this isn't really related to the box Blunder.

    If all else fails, its worth raising a JIRA ticket with HTB to get them to see if they can help - https://hackthebox.atlassian.net/servicedesk/customer/portal/1

    At a guess - and I really don't know much here - I'd say it looks like the ovpn config file you are using is incorrect.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Nice box, learnt a new privesc exploit!

    Foothold: enumerate very well, find vulnerable software and information to access it, smart guess creds, exploit
    User: enumerate well on the inside. Where are creds typically found?
    Root: enumerate yet again, Google what looks strange

    Feel free to DM for more specific hints.

    peterdjalaliev

  • Stuck on user. I found three password hashes - two of them had salts and one is missing the salt entry. Is that the way it should be or did someone mess with the machine?

  • @0xRand0m said:

    Stuck on user. I found three password hashes - two of them had salts and one is missing the salt entry. Is that the way it should be or did someone mess with the machine?

    You might be going in the wrong direction. Enumerate what your account can do.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Type your comment> @TazWake said:

    @0xRand0m said:

    Stuck on user. I found three password hashes - two of them had salts and one is missing the salt entry. Is that the way it should be or did someone mess with the machine?

    You might be going in the wrong direction. Enumerate what your account can do.

    Thanks for the tip! I will do that.

  • edited July 2020

    I think my previous question was poorly written. I meant that I am stuck getting user - not that I have user.
    So I'd like to repeat the question: should all three hashes have salts?

  • @0xRand0m said:

    I think my previous question was poorly written. I meant that I am stuck getting user - not that I have user.
    So I'd like to repeat question: should all three hashes have salts?

    Ok - sorry, I misunderstood.

    I cant say too much without hitting a massive spoiler, but I would take time to fully enumerate to find one which is different than the others. You might need to use an online station to crack this as I dont think any of the default wordlists will help you.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • I see. Thanks again!
    In this thread some people called the hashes easily crackable - this threw me off it seems.

  • @0xRand0m said:

    I see. Thanks again!
    In this thread some people called the hashes easily crackable - this threw me off it seems.

    With hindsight, the hash you need to crack is super easy to crack. It just doesn't look easy when you face the other way!

    If you are still stuck, drop me a PM for more specifics.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • I got it :D
    Using an online service did the trick. I always use hashcat on my local machine for cracking - that now seems kinda stupid ;p

  • @0xRand0m said:

    I got it :D
    Using an online service did the trick. I always use hashcat on my local machine for cracking - that now seems kinda stupid ;p

    Nah, 99% of the time that works fine - just remember if it doesn't, try something else.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Hi, Im trying to exploit the vulnerability here with both the one "pre-made" and one downloaded but I get this message when using check "The target is not exploitable". And when I try to exploit it, I get this message "Exploit failed: An exploitation error occurred.".

    What could be wrong here?

    Im 99.9999% sure I filled in all params right. I checked and checked again

  • @GooseSthlm said:

    Hi, Im trying to exploit the vulnerability here with both the one "pre-made" and one downloaded but I get this message when using check "The target is not exploitable". And when I try to exploit it, I get this message "Exploit failed: An exploitation error occurred.".

    What could be wrong here?

    Im 99.9999% sure I filled in all params right. I checked and checked again

    The messages imply something is wrong, so you need to work through everything and validate it again. I know that sounds frustrating, but the error message is telling you something isn't right and we cant see whats on your screen.

    Common issues are things like the path chosen, credentials used, payload.

    If you really arent sure, try changing them one at a time. Try using known bad value to see if it changes the outcome. Etc.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

Sign In to comment.