Dante Discussion

13

Comments

  • Type your comment> @dtwozero said:

    is there anyone that has gotten the foothold yet on the first box? i'd like to share what i've done so far, and maybe you can point me in the right direction?

    Feel free to DM me. I have done the entire lab.

    limelight

  • Type your comment> @BaddKharma said:

    So apparently the Dante Labs breaks down for users who are forced to use the TCP protocol for their connection pack. My current network will not allow me to use UDP for my tunnels, so I must convert my connection to Proto TCP. This has worked well for me in the other HTB machines, but not for Dante.

    Does anyone know what could be done to force the TCP or should I submit a service ticket to HTB?

    I am assuming you tried this, just making sure you saw it though;

    Alternate TCP Connection

    By default, our network uses UDP port 1337. If this port is blocked at your location, you can try switching to TCP 443 by editing your .ovpn file.

    Change proto udp to proto tcp
    Change remote {serverAddressHere} 1337 to remote {serverAddressHere} 443
    Change <tls-auth> to <tls-crypt>
    Change </tls-auth> to </tls-crypt>
    
  • So a quick update. I know i'm not going crazy. I think the box needs to be reverted. The service i know i'm supposed to get a clue from is not working correctly. I'm getting errors trying to connect. I also see a long list of exploits in a directory unrelated to that service. Is it possible that this box is toast? does anyone know the name of it, so we can attempt to revert it?

  • Type your comment> @0PT1MUS said:

    Type your comment> @BaddKharma said:

    So apparently the Dante Labs breaks down for users who are forced to use the TCP protocol for their connection pack. My current network will not allow me to use UDP for my tunnels, so I must convert my connection to Proto TCP. This has worked well for me in the other HTB machines, but not for Dante.

    Does anyone know what could be done to force the TCP or should I submit a service ticket to HTB?

    I am assuming you tried this, just making sure you saw it though;

    Alternate TCP Connection

    By default, our network uses UDP port 1337. If this port is blocked at your location, you can try switching to TCP 443 by editing your .ovpn file.

    Change proto udp to proto tcp
    Change remote {serverAddressHere} 1337 to remote {serverAddressHere} 443
    Change <tls-auth> to <tls-crypt>
    Change </tls-auth> to </tls-crypt>
    

    Yeah the problem exists when you do that, it severs your ability to interact with the first machine at all. Have a service ticket on it that's being worked on. So fair warning to anyone behind a strict firewall/network edge that if you use TCP connections Dante may not work for you until it gets resolved.

  • Type your comment> @BaddKharma said:

    Type your comment> @0PT1MUS said:

    Type your comment> @BaddKharma said:

    So apparently the Dante Labs breaks down for users who are forced to use the TCP protocol for their connection pack. My current network will not allow me to use UDP for my tunnels, so I must convert my connection to Proto TCP. This has worked well for me in the other HTB machines, but not for Dante.

    Does anyone know what could be done to force the TCP or should I submit a service ticket to HTB?

    I am assuming you tried this, just making sure you saw it though;

    Alternate TCP Connection

    By default, our network uses UDP port 1337. If this port is blocked at your location, you can try switching to TCP 443 by editing your .ovpn file.

    Change proto udp to proto tcp
    Change remote {serverAddressHere} 1337 to remote {serverAddressHere} 443
    Change <tls-auth> to <tls-crypt>
    Change </tls-auth> to </tls-crypt>
    

    Yeah the problem exists when you do that, it severs your ability to interact with the first machine at all. Have a service ticket on it that's being worked on. So fair warning to anyone behind a strict firewall/network edge that if you use TCP connections Dante may not work for you until it gets resolved.

    Can confirm, I was never able to get comms sorted to Dante with the TCP option (per the directions already mentioned). Only the default UDP config worked. Because that wasn't an issue for me, I never pursued a solution. Hopefully they can resolve soon for those that can only connect via TCP.

    limelight

  • Does the request reset function work? Every time I load up in Dante2 there is someone else's php code still present.

  • On the topic of the connection issues, I found that working in a VM can muck up the connection. Not 100% offhand why this isn't the case for the individual machines outside the labs. I am able to use TCP, just had to add a passthru/bridged interface

    Also, anyone having issues with NIX02? There is a file that should only exist in a certain users dir under certain conditions, yet those conditions do not seem to be present ....

  • Can someone PM with a nudge getting initial foothold? Got the first flag and the todo.txt file with user I should be targeting, possible permissions issue, as well as possible vulnerability to look out for. Not sure where to go from here? Tried some things to no veil from info I found

  • i've been at this for 3x days. there has got to be a faster way to get help, besides the forum, discord, and support portal. Not happy spending money on this so far.

  • @r0me and @dtwozero It looks like you are on the right track, but sometimes you may have to wait for an attempted exploit to finish.... Feel free to message me if you need a bigger nudge

  • So In US Dante2 I have sent multiple requests to reset the lab, people have left behind their webshells and exploit files, ruining the experience for others. Have sent at least a dozen requests to reset the lab and nothing. Anyone else experienced this?

  • Type your comment> @BaddKharma said:

    So In US Dante2 I have sent multiple requests to reset the lab, people have left behind their webshells and exploit files, ruining the experience for others. Have sent at least a dozen requests to reset the lab and nothing. Anyone else experienced this?

    The lab resets nightly. I know there are at least 2 boxes I can think of that have stuff already on them by design, or just were never removed by creators.

  • edited September 16

    For whoever was assigned IP address 10.10.14.5 in US Dante 1, you are an a** for stripping the entire wordpress site for your reverse shell. If you have to deface a customer product in your pentest you are doing it wrong. You could tuck that code away anywhere on the half a dozen other locations or pages, but nope. You chose to overwrite the main Web Page.

  • Alright.. after literally a week of trial and error i have the first 2 flags on the .100 node and i'm finally ready to move on with my enumeration.

    I will say this without spoiling anything; the information you will likely find first will lead very quickly to the first 2 flags
    Anyone that needs a nudge feel free to message me.

  • And now for reasons I still don't understand just as SOON as i find the foothold for some reason the machine and ports go down. This is such a fickle environment we're working with here i swear.

  • edited September 16

    Is anyone else having issues with that .102 webpage being extremely slow, bordering on unusable ?

    PS nevermind it unfu**ed itself :)

    S1ph1lys

    We are the things that were and shall be again

  • edited September 16

    Type your comment> @BaddKharma said:

    For whoever was assigned IP address 10.10.14.5 in US Dante 1, you are an a** for stripping the entire wordpress site for your reverse shell. If you have to deface a customer product in your pentest you are doing it wrong. You could tuck that code away anywhere on the half a dozen other locations or pages, but nope. You chose to overwrite the main Web Page.

    Just my $0.02.... I think HTB is doing a bit of a disservice by advertising this lab as "beginner". I think some folks without any experience go into it thinking it will be accessible material. I really enjoy engaging with people on the forums and helping someone who is stuck via DMs, but I have had a lot of people contact me asking me about every single step on the foothold box.

    For those considering this lab, please know that you really need some experience. I would recommend doing all of the active Easy boxes on HTB first before jumping into this lab. If you are lost on the foothold box, there is a lot more challenging boxes in this lab. Look at the lab write-up and make sure you understand and have had some idea on how to tackle the areas they describe.

    limelight

  • Type your comment> @0PT1MUS said:

    Type your comment> @BaddKharma said:

    So In US Dante2 I have sent multiple requests to reset the lab, people have left behind their webshells and exploit files, ruining the experience for others. Have sent at least a dozen requests to reset the lab and nothing. Anyone else experienced this?

    The lab resets nightly. I know there are at least 2 boxes I can think of that have stuff already on them by design, or just were never removed by creators.

    No this wasn't intentional or part of the challenge. This was a fellow subscriber. I don't mind the occasional enum script or two in /tmp but this was a blatant disregard for anyone else. To be fair thought at least they didn't replace the entire wordpress site, with a reverse shell page, effectively locking the main pivot box for anyone else, like I found this morning.

  • To be honest, I'm here because of an in-class assignment knowing full well my intutions are not where they need to be for a medium difficulty CTF lab when I don't think my institution really looked at this from the angle of "several students ok but not great at PenTesting".

    In my defense, I'm also dealing with issues involving VPN connections to the network itself as well as a consistent issue with machine/port going down throughout the day; case in point this morning when my foothold port on the .100 node went down due to a potential DOS/Password Change and I lost a good several hours waiting for the machine to re-boot itself. Hopefully that I've gotten these first few flags now I'll be able to navigate a bit better onto the network, however, if not, it's not the end of the world.

  • Hi Can anybody offer a hint regarding priv esc on nix02. Have full shell on M user and working creds for F user but not seeing a way forward. Thanks

  • @richeze I got stuck where you are FOREVER it felt. Make sure you know everything that is going on/happening on the system. Feel free to DM

  • To whomever is deleting flags please know you are an aho !
    Sincerely.

    And yes, I'm talking about a flag that was there earlier but didn't submit right away and was gone when I returned.

    globule655

  • any nudges for initial, got first flag but at a standstill with wp

  • any nudges on how to tunnel through to the 172.16.1.0 network, I am using a tool but it doesn't seem to allow me to use tools like metasploit through the tunnel. I can connect to web pages on the 172 network but that is it haven’t been able to run any good tools through the tunnel.

  • @voodooraptor look at using sshuttle with the SSH creds you have found. You won't be able to use nmap, but should be able to do manual enumeration from the pivot box.

    limelight

  • Type your comment> @limelight said:

    @voodooraptor look at using sshuttle with the SSH creds you have found. You won't be able to use nmap, but should be able to do manual enumeration from the pivot box.

    @limelight thanks, yeah i already enumerated the other boxes, now I am trying to exploit them. I found some interesting info to know about user M and F but trying to figure out password for them. The website that I found them on seems to be broken there is no actual login page, I was going to attempt intruder against it but it seems to be broken.

  • Hey everyone,

    I am currently stuck on the first foothold - I have tried everything I can think of with no luck. Is anyone able to give me any hints? Cheers

  • anyone have a nudge for where to look after rooting admin-dc02 and nix07?

  • Feel like I have smashed into a wall. I have rooted the below machines, but have yet to find the other network(s). Two of them have interesting entries, but nothing seems to bite when sweeping. Any nudge available without giving too much away?

    DANTE-NIX02
    DANTE-NIX04
    DANTE-WS01
    DANTE-NIX03
    DANTE-DC01
    DANTE-WEB-NIX01
    DANTE-WS03

  • Type your comment> @smugglebunny said:

    Feel like I have smashed into a wall. I have rooted the below machines, but have yet to find the other network(s). Two of them have interesting entries, but nothing seems to bite when sweeping. Any nudge available without giving too much away?

    DANTE-NIX02
    DANTE-NIX04
    DANTE-WS01
    DANTE-NIX03
    DANTE-DC01
    DANTE-WEB-NIX01
    DANTE-WS03

    Which of these boxes would you think might have connectivity to 'admin' machines listed on the lab write up?

    limelight

Sign In to comment.