Official Passage Discussion

Official discussion thread for Passage. Please do not post any spoilers or big hints.

«13456789

Comments

  • Hey everyone!

    I hope you enjoy the box. As always, please refrain from giving out hints until both First Bloods are taken.

    After that, I will be sharing some hints of my own. At that time, feel free to PM me for nudges!

    Good luck!

    ChefByzen
    If I helped you out at all, feel free to click my badge and give +1 respect!

  • Box lagging so much, getting connection refused and the pages are not charging properly, i think i will miss my first blood attempt

    666snippet

  • yeah its hard when boxes are new.. lag is unavoidable :(

    think i have this one well the user anyway until the lag started, go back to sleep to the country that got up and all decided to go to htb.com haha

    GL all

  • edited September 5
    The first time attempting for blood and got the user. Already bloods were gone. :sweat_smile:

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • edited September 6

    Spoiler Removed

  • I don't know... this release area is a great innovation, but on both release area and "public" servers the machine is so hammered that I cannot finish a single gobuster with a small list like quickhits, my nmap quick-scan took longer than other people needed for blood. :|

    Hack The Box
    Anger is more useful than despair - T800

  • @sparkla said:

    I don't know... this release area is a great innovation, but on both release area and "public" servers the machine is so hammered that I cannot finish a single gobuster with a small list like quickhits, my nmap quick-scan took longer than other people needed for blood. :|

    In theory, the release arena is unique to you - other people cant be hammering it.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Congratulations to the team usdHeroLab (https://www.hackthebox.eu/home/teams/profile/1399) for achieving both First Bloods! Great work

    ChefByzen
    If I helped you out at all, feel free to click my badge and give +1 respect!

  • edited September 5

    I don't know... this release area is a great innovation, but on both release area and "public" servers the machine is so hammered that I cannot finish a single gobuster with a small list like quickhits, my nmap quick-scan took longer than other people needed for blood. :|

    Maybe bruteforcing isn't the way to go here... :smile:

    ChefByzen
    If I helped you out at all, feel free to click my badge and give +1 respect!

  • Fun box so far, got user.txt -- working on root but starting to run into dead ends. The 'Very Easy' rating means I've probably missed something obvious.

  • @TazWake said:
    In theory, the release arena is unique to you - other people cant be hammering it.

    That's what I thought... still I'm getting "unable to connect..." by gobuster and "connection timeout" by Firefox. It's works in between and I can see the "news", then drops dead again. Reset the Release Arena box but it didn't change.

    @ChefByzen said:
    Maybe bruteforcing isn't the way to go here... :smile:

    And I wrote "I'm doing bruteforcing" exactly where? :smile:
    Except you call nmap, Nikto or gobuster bruteforcing..

    I did read about F2B, so maybe it's "intended" - but usually the "Fail" means failing on a login attempt not 404s.

    Hack The Box
    Anger is more useful than despair - T800

  • Type your comment> @COSMICTHRILL said:

    Fun box so far, got user.txt -- working on root but starting to run into dead ends. The 'Very Easy' rating means I've probably missed something obvious.

    Same here

    OSCP | Stay root! | Twitter: S1lky_1337

  • @Silky said:

    Same here

    I've moved to second user, but no root yet :)

  • edited September 5

    Rooted, more an easy one but great box, thanks for the ride @ChefByzen
    From user 2 to root, it's pretty funny how the vuln works.

    'These violent delights have violent ends'

  • any hints on root part ???

    offs3cg33k

  • edited September 5

    @offs3cg33k said:

    any hints on root part ???

    The only thing you need to know is stay at home, it's covid time after all, always better to stay at home and read some book ;)

    'These violent delights have violent ends'

  • Type your comment> @sparkla said:

    @TazWake said:
    In theory, the release arena is unique to you - other people cant be hammering it.

    That's what I thought... still I'm getting "unable to connect..." by gobuster and "connection timeout" by Firefox. It's works in between and I can see the "news", then drops dead again. Reset the Release Arena box but it didn't change.

    @ChefByzen said:
    Maybe bruteforcing isn't the way to go here... :smile:

    And I wrote "I'm doing bruteforcing" exactly where? :smile:
    Except you call nmap, Nikto or gobuster bruteforcing..

    I did read about F2B, so maybe it's "intended" - but usually the "Fail" means failing on a login attempt not 404s.

    I'm not the owner of the box (obviously), but F2B can be configured to detect (and ban) directory brute forcing.

  • If F2B isn't enough of a hint, you definitely do not need any sort of bruteforcing/fuzzing for initial foothold.

    This one is all about the basics IMO.

    Hack The Box

  • edited September 6

    Rooted. Very very Easy machine.
    My hints-

    For Foothold: Just look for CVE and try it.
    For User 1: Enum on the landing root dir. R0ckYou will rock you.
    For User 2: User1 and User2 are very good friends. They share everything.
    For User 3: Stay Home and play hide & seek. Google all the way will land you on a good article. ;)

    PM for a little bit cryptic nuggets.

    @ChefByzen Thanks for the cool machine. ;)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Pwned. Great Box. Got stuck unnecessarily at first user, just because I was overlooking.

    Thanks @ChefByzen

  • edited September 6

    connection refused

    Scorpion4347

  • Type your comment> @scorpion4347 said:

    connection refused

    Are you bruteforcing something you ought not to be?

  • edited September 6

    anyone got a nudge for user 2?? been stuck for a long time now :(

  • Rooted.. pm for nudges
  • > @scorpion4347 said:
    > yaa

    This box doesnt need bruteforce
  • Type your comment> @soraa said:

    anyone got a nudge for user 2?? been stuck for a long time now :(

    If you got User 1 already, then you need to be in-home and check all the files. :)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Type your comment> @soraa said:

    anyone got a nudge for user 2?? been stuck for a long time now :(

    Dont look far. :) Just right infront of you

  • Type your comment> @gunroot said:

    Type your comment> @soraa said:

    anyone got a nudge for user 2?? been stuck for a long time now :(

    If you got User 1 already, then you need to be in-home and check all the files. :)

    oh wow i got it thx !!!

  • edited September 6

    @kaungmyatmin said:
    Type your comment> @soraa said:

    anyone got a nudge for user 2?? been stuck for a long time now :(

    Dont look far. :) Just right infront of you

    TYSM :) :)

Sign In to comment.