Official Academy Discussion

145791017

Comments

  • @moose said:

    I was able to escalate my privs on the webpage but I don't fully understand why it worked that way. Can someone point me in the right direction on documentation or explain why changing a certain value worked the way it did? Thanks in advanced!

    Its not a "standard" thing its just down to how the webapp was coded.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Rooted!
    I wasn't a fan of the way we switch between users, I feel it's a little too far fetched. At least the method that I used, I'm happy to find out how others did it!

  • Type your comment> @TazWake said:

    @Sc0rp10ne said:

    I too am stuck on the foothold thing. I believe I found the small change I need to make I would be happy to discuss my strategy to see if I am headed in the right direction. So far none of the changes allows any new accesses. I'm sure its got to be something even more simple than what I'm attempting...

    It is a small change. When you make it and it still works, you can log in to a new page with the credentials you have created.

    Thanks @TazWake! Your hints worked. It was a simpler change than I even imagined. Also realized I need to spend some quality time learning gobuster. Forgot to run some features to help find the nuggets I've been looking for. On to the next stage \o/

  • edited November 2020

    Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

    Foothold

    When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

    User 1

    You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

    User 2

    A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
    This is the best I can give without spoiling it for others

    Root

    If you made it to this point just gtfo here.

    Thank @Dilan for narrowing my search for the second user.
    PM for a nudge.

  • edited November 2020

    Can someone please nudge me? I'm stuck after getting reverse-shell as a www-data user, I can see ******* user.txt file but can't read it. I don't understand where to go further.

  • Type your comment> @bascoe10 said:

    Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

    Foothold

    When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

    User 1

    You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

    User 2

    A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
    This is the best I can give without spoiling it for others

    Root

    If you made it to this point just gtfo here.

    Thank @Dilan for narrowing my search for the second user.
    PM for a nudge> @bascoe10 said:
    Fun box, I did not find it as easy as other people did especially with the enumeration, but here is what I can share.

    Foothold

    When life gives you parameters, mess with them. This will open a door that only privileged users can go through. Once through the door follows the path in front of you. Errors can reveal who you are and we all have flaws. Well-known exploit tools might even know about this flaw.

    User 1

    You favourite enumeration pod will reveal what should be of interest. Some keys can open more than one door. If you find such try it against all doors.

    User 2

    A collection of users usually have things in common. When we do thing we leave trails, they can be shrouded but with the right combination of tools and grep you can un-mask anything. You might want to find the interesting steps taken and then use the proper tool to look at those.
    This is the best I can give without spoiling it for others

    Root

    If you made it to this point just gtfo here.

    Thank @Dilan for narrowing my search for the second user.
    PM for a nudge.

    Could you help me narrow my search please ? Stuck on User2

  • Rooted!
    Thanks to @deepansh0xB for the nudge! I learn my lesson here.

  • Nice box, im done with it.

    laet4x

  • @kalkipoison said:

    Can someone please nudge me? I'm stuck after getting reverse-shell as a www-data user, I can see ******* user.txt file but can't read it. I don't understand where to go further.

    Enumerate. If you ran a tool like nikto against the site, or did a good job with dirb/dirbuster/gobuster/whatever then you should have seen some files that look interesting but you couldn't access them.

    You can look at them in the filesystem.

    If you get any credentials always check for password reuse.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Rooted

    I thank everyone who gave me tips, but especially to @Harbard thanks for your patience, without you it would not be possible.

    I'm a beginner and it was a little complicated, I learned a lot.

  • Really stuck on user 2, trawling through the logs at the mo with grep and zgrep but really need direction on best things to look for, any help would be most appreciated. Enjoying box so far..

  • @foalma321 said:

    Really stuck on user 2, trawling through the logs at the mo with grep and zgrep but really need direction on best things to look for, any help would be most appreciated. Enjoying box so far..

    If you ran a tool like nikto against the site, or did a good job with dirb/dirbuster/gobuster/whatever then you should have seen some files that look interesting but you couldn't access them.

    You can look at them in the filesystem.

    If you get any credentials always check for password reuse.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @petrostheol said:

    Can someone give me a nudge? I'm enumerating for like 2 hours but still nothing.

    Try a few days back to back looking at all the pages and sadly for me, I still don't get it...this has made me feel stupid af.

    Hack The Box
    CISSP | eJPT

  • @grav3m1ndbyte said:

    Type your comment> @petrostheol said:

    Can someone give me a nudge? I'm enumerating for like 2 hours but still nothing.

    Try a few days back to back looking at all the pages and sadly for me, I still don't get it...this has made me feel stupid af.

    It depends what you have done so far, but at a high level make sure you've found a page which implies it has privileged access, then see if you can manipulate the way you create new things to get access.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @grav3m1ndbyte said:

    Type your comment> @petrostheol said:

    Can someone give me a nudge? I'm enumerating for like 2 hours but still nothing.

    Try a few days back to back looking at all the pages and sadly for me, I still don't get it...this has made me feel stupid af.

    It depends what you have done so far, but at a high level make sure you've found a page which implies it has privileged access, then see if you can manipulate the way you create new things to get access.

    I get it now...I completely overlooked something the other day while being feverish! smh

    Hack The Box
    CISSP | eJPT

  • Wow, user2 was really needle in a haystack. I wouldn't ever find it without a hint. I wonder if there is any method to search for things like that? Just "try harder"? :wink:

    sparrow1

  • I understand the foothold, but is there a way to observe that what I'm modifying is having an effect? just wondering how much trial-and-error I should expect to perform.

  • a fun box! I got user2 only with a hint. For people who found it without a hint, could you please PM, explain what logic did you use to find it ?

  • Type your comment> @Oussmak said:

    a fun box! I got user2 only with a hint. For people who found it without a hint, could you please PM, explain what logic did you use to find it ?

    Any chance you could pass the hint to me.. been stuck on this user switch for ages. Looking through a*****.l** for ages but dont really know what im looking for. Thanks

  • @routetehpacket said:
    I understand the foothold, but is there a way to observe that what I'm modifying is having an effect? just wondering how much trial-and-error I should expect to perform.

    have you run gobuster (or any other tool that can brute-force directories/files on a web server)? this might help tremendously :)

    if you need more specific hints send me a DM.

    but please explain what you did so far and what you want to do next (only regarding this machine, of course ;))

  • Nice box ! I spent way too much time looking for the second user, but I learned something new there. The root part took me 5min…

    If you’re stuck with the first user like I was, maybe try to take a step back and ask yourself what is the obvious thing that you are looking for (it is an easy machine so...) ? And where/when/why could that thing being entered into the system ??? You know it’s there so, try to filter out your results…

    There are specific tools that you can use but the ‘standard tool’ works fine if you apply the right filters.

    Please PM if you need a nudge.

    Very interesting box, thanks to @egre55 and @mrb3n.

  • edited November 2020

    Edit -- removed by user

  • @d4gd4 said:

    I've become confused about 'user1' and 'user2'. Are people counting www-data as 'user1' sometimes? I had been assuming I need to move through 2 users AFTER www-data.

    Try not to fixate on the terms and paths other people use, it wont always help you.

    There may be multiple paths to get access to the root flag - the only one that matter is the one you can manage it through.

    For example, on this box, there are six user accounts which appear to have interactive shells.

    I have moved on from www-data to another user, and cannot find any info leading me to the next user. I managed to get some enum scripts

    Manual enumeration is often better.

    onto the machine despite there being a clear (very small) limit on the size of files I could copy over, and this gave me some ideas on WHERE to look. I simply don't know what to look for. Some obvious keywords haven't paid off..

    So, first ask yourself what is it you are looking for (and I dont mean "passwords"). Have a think about what activity you want to be doing.

    Then think if that activity is audited. It probably is. That means there might be a log of what has been captured by the auditing system.

    When you find this, there might be too much data to easily read so now you can narrow it down but, again, think about how it is logged (hint: it doesnt use terms like password )

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited November 2020

    @TazWake Thanks for the advice, I'll keep working on this.

  • Finally ROOTED !!! shout out to @Oussmak and @reedvaleeve. for their help steering me in the right direction. Fun box even though i pulled the few hairs i had left out!!!
    Enumerate, enumerate,enumerate !

  • Got a shell
    Let's see what we got here

  • edited November 2020

    ....

  • Rooted at long last!
    There were just some things in there I didn't know about.
    But that's great because I learned a lot on this box.
    Thanks to @TazWake, @xaif7aLe and @R0cK for their help.

  • edited November 2020

    Gang, sometimes flags might be under the nose, just pay attention to last symbols :D

Sign In to comment.