Official Compromised Discussion

1235

Comments

  • @sparkla said:

    Have players been hacked?

    Not as far as I am aware. Given the difficulty in compromising SSH directly and the chance of getting a different IP each time you connect, blocking port 22 outbound seems like an odd choice. It may be down to something else (administrative interfaces, how the lab environment is configured, VPN issues etc).

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @Tazwake Can i have the reason for why we needing SSH here ?

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • @TazWake said:
    Not as far as I am aware. Given the difficulty in compromising SSH directly and the chance of getting a different IP each time you connect, blocking port 22 outbound seems like an odd choice. It may be down to something else (administrative interfaces, how the lab environment is configured, VPN issues etc).

    They said it's because so many people are using the default credentials, which leaves them open to easy access.

  • @gunroot said:

    @Tazwake Can i have the reason for why we needing SSH here ?

    "need" is a strong word. You can certainly use it on this box but I dont know why you'd want to go from the box to your machine here.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @metuldann said:

    They said it's because so many people are using the default credentials, which leaves them open to easy access.

    Ok - I cant argue with their decisions. I disagree with their thinking here and the solution seems heavy handed but it is their environment.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • I think we confused other players to the maximum extend..

    To make some points clear about compromised.htb

    • flag is not in my*** user (first user) home but needs second user
    • ssh is necessary for one step
    • scp may be used for file transfer in both directions but connection can only be established in direction kali -> box, file copy still works in both directions, check help / syntax
    • outgoing connections from box -> kali may be limited not only by the new htb-wide ssh restriction, but also include other tools / ports. Opinions differ about this point.

    Hack The Box

  • edited September 23

    afaik ssh doesn't have "default" creds. But I can see a high chance for players setting it up very open on purpose cause they fiddle with a box and wanna rule out errors on that end.

    I found myself using "pass" or "password" on more than one occasion, it becomes a bad habit while aiming for speed here.

    My criticism would go more into the direction of "bad communications", I'm here all the time and found out about it randomly.

    Hack The Box

  • @sparkla said:
    No, I haven't "lost peace of mind". Not sure why you said that. I valued your previous comments but didn't wanna let things escalate into endless HTB bashing, also I think we can only guess what's going on behind the scenes, if we don't get an official answer. Problems here are very real and some are severe. Problems with the boxes are one thing, how we tread each other is another, how we are being treaded maybe the most important one. We have to consider if our words do improve the issues or maybe make them worse. But it doesn't really belong here in a box thread, so lets cut it.

    I actually thought you would like my little bit of sarcasm -:)
    It was not my intention to offend you or anyone else.

    m4rc1n

  • edited September 23

    Type your comment> @TazWake said:

    Somethings to consider:

    • locate is (at least in my experience) really hit and miss. It frequently misses file on my local system because I dont keep the database up to date.
    • each user account has set privs, if the account you are in doesn't have privs to see the file, you might not be able to find it with other tools. Keep in mind what account is being used by which "exploit."
    • If you use the second account via the first bit, the output is muddy so it isn't great for broad searching (targeted enumeration still works).

    On this box, there is no need to hunt the flags. They are exactly where they should be.

    Just rooted.
    There is enough hints here already, but I would like to clarify some stuff.
    I was a bit surprised about all those discussions about locate/grep/find. Everything seemed to be straightforward in this machine.
    Also connectivity was not really a problem cause no rev or bind shell really needed.
    One item required from the box can be very easy copied.
    The most enjoyable part was actually the one with m**** hence getting first user. This part is very nicely described in public (google-fu) .A similar stuff can be found on one of machines in the lab where candidates for a very famous certification practice their skills -:)
    The rest was also fine, but I used a small hint regarding which item needs to be copied for privesc (thank you @Noobish!!!). A little bit of r** gave me root on the machine.
    Overall quite enjoyable.

    m4rc1n

  • @m4rc1n said:

    I was a bit surprised about all those discussions about locate/grep/find. Everything seemed to be straightforward in this machine.

    It may have been down to a misunderstanding about which account was which.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • > @m4rc1n said:
    > (Quote)
    > I actually thought you would like my little bit of sarcasm -:)
    Practice and you eventually get good at it. :)

    > It was not my intention to offend you or anyone else.
    Of course not. Oups.

    Hack The Box

  • > @TazWake said:
    >
    > (Quote)
    > It may have been down to a misunderstanding about which account was which.

    Or one of the 28 unintended malfunctions.

    Hack The Box

  • Type your comment> @m4rc1n said:
    > The most enjoyable part was actually the one with m**** hence getting first user. This part is very nicely described in public (google-fu)

    Where tf did you find it? :joy: I searched for at least an hour or two before giving in and asking Taz

    But I agree it was really interesting

    LMAY75
    Always happy to help, DM me if you need anything!

  • in my opinion is easy to lose the correct way, you could feel frustrated, but the box is funny and there is a lot of thing to learn.
    Thanks @LMAY75 .

    PM if you need a hint.

  • edited September 25

    Hey guys, need a little help here.
    I've spent all day and could not progress. I am able to upload files, even managed to get a limited shell from there. I saw the user with shell that usually does not have it.
    So I took a step back and managed to interact with the database as r**t. As far as I am aware of, I have f**_priv but I couldn't do anything with it.

    I'm thinking I'm losing myself in rabbit holes. Can anyone give me a hand?

  • Type your comment> @nom4D said:

    Hey guys, need a little help here.
    I've spent all day and could not progress. I am able to upload files, even managed to get a limited shell from there. I saw the user with shell that usually does not have it.
    So I took a step back and managed to interact with the database as r**t. As far as I am aware of, I have f**_priv but I couldn't do anything with it.

    I'm thinking I'm losing myself in rabbit holes. Can anyone give me a hand?

    DM me

    LMAY75
    Always happy to help, DM me if you need anything!

  • Owned it a few seconds ago.
    First of all, let me thank @LMAY75 for his help! (+respect to you pal!)
    The machine:
    It's great! I liked almost every step of it.
    All the hints are already there, so my suggestion is to open wide your eyes and avoid being lazy like me: double (or triple) check all what you do, otherwise you'll end up blaming the universe, begging for help just because of a typo...

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • Stuck on root. Did all kind of enumeration, tried a few exploits without success but got nothing. Anyone could give me a nudge pls? (read all the forum pages more than once but couldn't realize the path).

  • @nom4D said:

    Stuck on root. Did all kind of enumeration, tried a few exploits without success but got nothing. Anyone could give me a nudge pls? (read all the forum pages more than once but couldn't realize the path).

    Look for something the attackers have changed, possibly with a view to allowing themselves back in at a later date.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Finally rooted the machine. It was a fun box, learnt a lot from this box.
    Thanks to all the people who gave nudges.

    Anyone who is having trouble with transferring the file can read this article
    https://linuxize.com/post/how-to-use-scp-command-to-securely-transfer-files/
    Also don't try for reverse shell because you will only waste your time doing so.

    For initial foothold: backup and Exploit db has something for you. Look at the info to know what to avoid.

    For user1: if you can dump then you can get inside

    For user2: Stay home and read the files

    For root: Look what he has changed.

    PM if you need help

  • edited September 29

    I'm so close to root. So close, I can see it on two lines... but it seems i'm not getting the information I need from them. Is there someone who can give me a sanity check towards root?

    edit: got it. Great box, love the confidence building enumeration in the beginning, only to beat the ever-loving crap out of you right when you figure out rce!

    my only hint to those who might get stuck where i was: sometimes things are a little bit inside-out.

    There's another path I want to try taking too.

    Cyberpathogen

  • Rooted. Definitely found this one a big challenge. Huge thanks to @TazWake for continued, never-ending patience and to @D4nch3n for taking the time to create the box.

    Hack The Box

  • edited September 28

    found creds! so far i haven't needed a lifeboat. maybe this time i'll get through a 'hard' box without help? we will see... fun though

    Arrexel

  • Can someone please give me a nudge for initial foothold. I've got the tar and I've got the exploit, but I can't seem to figure out what to do next

  • @Qtang said:

    Can someone please give me a nudge for initial foothold. I've got the tar and I've got the exploit, but I can't seem to figure out what to do next

    Read the files. Look for things which might be useful leads. Follow the crumbs and see if they exist. If they do, read whats in them. Find loot. Use that loot.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • ok i'm wasting too much time and not learning anymore...need a push.

    I can list dirs, read files, but I cannot figure out how to get RCE so I can do what I need to do with the user who should not be able to login. I've tried every method I could find for this situation and none of them will work.

    anyone in the mood to slap me upside the head?

    Arrexel

  • @b3nd0 said:

    ok i'm wasting too much time and not learning anymore...need a push.

    I can list dirs, read files, but I cannot figure out how to get RCE so I can do what I need to do with the user who should not be able to login.

    You have the password for that user, so you can issue queries against what it would normally be. Then you can use the functionality that has to give yourself a way in.

    I've tried every method I could find for this situation and none of them will work.

    anyone in the mood to slap me upside the head?

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • This was quite a fun box, mainly focused on enumeration. In almost every step, if you have found the thing you supposed to find, exploiting/using it isn't that difficult or time consuming. Finding it can be...
    There are some great hints on the forum, to which I don't have anything to add... But if someone needs a small nudge, feel free to send me a PM :)

    ArtemisFY
    OSCP

  • @TazWake

    Where tf did you find it? :joy: I searched for at least an hour or two before giving in and asking Taz

    @LMAY75 Yea I tried my damnedest to not ask for help, but i had to ask taz too. makes me laugh when i imagine the day he must have on here, like a drill instructor walking through a field of shananagans:

    "Code with two hands boy, this isn't a rap concert. Private, why will your exploit not fire?...your magazine is upside down son! How did YOU end up on your own botnet?"

    Arrexel

  • @b3nd0 That's funny lol. 😂😆

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

Sign In to comment.