Official Laboratory Discussion

11213141618

Comments

  • @AnonHack3r said:

    Someone give a nudge i want to retain U**** P** of D** how would i go about that? As I do not want to reset the p** ? pm me please

    I hope someone replies to you on this because I dont think I know what you are talking about. I've checked my notes and cant for the life of me work out what this could be related to, sorry.

    Is this initial foothold, getting user or getting root?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @AnonHack3r said:

    Someone give a nudge i want to retain U**** P** of D** how would i go about that? As I do not want to reset the p** ? pm me please

    I hope someone replies to you on this because I dont think I know what you are talking about. I've checked my notes and cant for the life of me work out what this could be related to, sorry.

    Is this initial foothold, getting user or getting root?

    No worries, I greatly appropriate the help. I accomplished the initial foothold took a little setting up n stuff now I am on the stage of getting the user? pass? =]

  • edited February 9
    Rooted. Crazy learning experience. Didn't create a local instance to gain access, there's an interesting chained POC . Foothold with a low shell, manage to upgrade it with perl, nothing else worked. 
    

    Finding user was crazy and interesting, spend a loooot of time at this stage. Repositories might help in the right direction and from there Google was my best friend for a few days.
    Root was is a bit easier than user, if you follow the hints, find that exec and the correct PATH . Google showed me how. Definitely not an easy machine, more like a custom exploitation one.
    Thanks guys for all the hints, could not have owned the machine without help from you!!

  • Rooted. Crazy learning experience. Didn't create a local instance to gain access, there's an interesting chained POC . Foothold with a low shell, manage to upgrade it with perl, nothing else worked.
    Finding user was crazy and interesting, spend a loooot of time at this stage. Repositories might help in the right direction and from there Google was my best friend for a few days.
    Root was is a bit easier than user, if you follow the hints, find that exec and the correct PATH . Google showed me how. Definitely not an easy machine, more like a custom exploitation one.
    Thanks guys for all the hints, could not have owned the machine without help from you!!

  • edited February 13

    edit: ayeye still manage to take days with all the hints here and a framework module
    the funniest shit is that i test if my rev shell is working with command ls, not id, not pwd, not even ls -la, but ls, and uh the landing dir is empty >_>

    i see many ppl comment the rooting process as "follow the hint", which make me think there's alternative way of getting root, as my trying-to-let-a-quiet-binary-spit-out-some-info doesn't really involve hint: the binary stands out after a very. very routine enum. can we smh talk about dat dat sounds interesting :<

    what_what

  • edited February 10

    got foothold as user g**

    . what should i be looking for from here on?! chcking repositories...but found nothing of interest i guess......
    a little assit would be appreciated ! thank you

  • This was a fun box, thanks a lot! I did couple of easy boxes before but this is the first one for me without hints!

    foothold: super easy with msf
    user: simple after a bit of enumerating (there are like three ways to find it at least)
    root:
    1. "wrong" way first with B**** S****** :smiley:
    2. "right" way with a bit of enumeration and path handling

    Thanks once more!

  • edited February 20

    Finally rooted. Not an easy box at all tbh.

    Foothold: Search fo public e*****t that let obtain r***** s**** without setting up l***l g****b e********t. Personally I had to to do some tricks to have stable working condition.

    User: Know where you are and what is used below you. Google how to r*** u*** p*******. Go back where you started and retrieve useful stuf that let you have a stable foot in.

    Root: This took me a while after using typical enum tool. Finally with a deeper look of the enumeration output and with a deeper look into thing the enumeration tool pointed you to, I followed the right PATH and manage to trick that thing in order do to something evil and gain root privileges.

    Important note: struggled a lot for this box with HTB free servers, I had to switch several times for the foothold part, finally switching to AUS server ended my pains.

    Thanks a lot for the box!

    alemusix

  • edited February 21

    Long time lurker here.

    I've been working boxes here for almost a year and I have to say, the initial foothold and getting to user on this one does not warrant an easy rating on this box. It's intermediate at the very least.

    That being said, I will say, if your attack VM is robust, the D****r route for GL will make your life easier.

    Although it was a bunch of hoops, this was a fun box and I recommend this one for everyone.

  • I am on the verge of getting the foothold but struggling with msf. I could really use a nudge from anyone. I can explain what I have found in a PM.

    Thank you in advance.

  • edited February 23

    Rooted.
    Thank you @Tazwake for the last nudge I needed :)

    For people struggling with foothold (msf) is your friend for easy win.

    One of my main challenges with this was my own environment. My SSH connection kept dropping but eventually resolved it by switching from UDP to TCP.
    Did anyone else have issues with the connectivity to the box once being inside it?

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • Finally! What a journey.

    I'm curious with how others have gained foothold. I didn't set up a similar environment as the box. Hope to share thinking processes and paths taken with others via PM.

    Foothold
    You probably found something interesting but cannot get RCE. Halt the exploit a step at a time to see where it is being sent.

    User
    You have powers to change something important to others without any prior knowledge. Noisy PE-aS can help you.

    Root
    Find something with special powers. You can look inside and Trace what it does. Look carefully and then literally get in its WAY.

    This is no means an easy box! The sooner you realise this, the less you will feel deflated when you go through each stage. Don't give up. PM me if you need some nudges.

  • Very glad that the foothold has been scripted out a tough one for an easy box!

    LordImhotep
  • Finally rooted.. feeling devastated though.
    This is probably the hardest Medium box I have ever done and yet it is rated Easy.. you really have to think and try lot of things if you have no earlier experience with the techniques used in this box

    I am wondering did anyone done the root hacking the shared libraries?
    (There's a simpler way but still)

  • edited February 26

    Fun box thus far

  • Awesome box, very challenging ping me for nudges

  • edited February 27

    Hey guys,

    Anyone faced "Exploit failed: NameError uninitialized constant Rex::Version" in msf? It was working fine yesterday but today i am getting this!

    Any idea on this is appreciated

    EDIT : found a workaround it.. but not sure why it happened!

  • Spoiler Removed

  • when I used the POC for G***** in rails, my kali tell a error sh: 1: Syntax error: Bad fd number
    , someone can tell me why plz, PM me ,thx

  • Great box thanks @0xc4afe ! For those talking about resetting the box and updating the default user accounts, there is no need, you can power yourself up to find the secret sauce, just follow the chugga chugga, chugga chugga, choo choo.

    I've read a few other write ups since owning and there is definitely an easy and hard way to get the foothold, which for sure takes it from an Easy to Medium box, I'd be interested to know which was "intended".

    PM me for hints

  • Hi, I'm stuck at G***** page, can anyone give me any hints to get foothold, user credentials ? >:(

  • edited March 11

    Type your comment> @quangvo said:

    Hi, I'm stuck at G***** page, can anyone give me any hints to get foothold, user credentials ? >:(

    Just enumerate some more on the page. Look for what you can do on the G***** page... And if you have access, find that important number to enumerate more information about the G*****

  • edited March 12

    Got stuck in the process, can anyone give me a nudge in the right direction?

    1) Found the G***** page
    2) Started a reverse shell via g********.py
    3) Got a user g++ (added the plus instead of *, cause it changed it to bold)
    4) Found out i'm in a c*******r (probably d****r)
    5) Looked for the manual online for G*****
    6) Found a user d***** with a command, the connection lost again
    7) Started a new reverse shell via g*****
    ***.py
    8) Tried to follow the instructions to G***** D++s S******y - H++ 2 r+++t **** p******d (used the + symbol instead of * because of the markdown bold and italic options)
    9) Did not get any feedback after following the instruction from the official documentation as mentioned in step 8...

    So I was thinking, my reverse shell is not correct, or I am doing something wrong with following the instruction from the official documentation. Or another way is there to break out the freaking thing

  • I got stuck here, can anyone help me to move forward ?
    1) I got reverse shell with g** user
    2) Found out that I am in a dumb shell (I tried to upgrade it to an interactive shell but haven't had any luck)
    3) g*****-**** console didn't give anything back but Switch to inspect mode

    So I was thinking because of the shell I got was a dumb shell so I cannot access to the console ??. And the reverse shell is highly unstable, every time I execute some specific command it always return 502 status code for me.

  • Is anyone else having constant 502 in the g***** page?

  • @kyichu said:

    Is anyone else having constant 502 in the g***** page?

    I think it is fairly common. It has been mentioned loads of times in this thread. The general tip is wait for a bit and if it feels "too" long, report it to HTB.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • thanks for this box. This was really interesting and I was struggling in the first attempt with foothold to get user. After I started to review my notes after some days I was clear about the path to move forward :-) Afterwards I was kicking my ass since I was already at 99% before I gave up ;-)

    Enumeration is key on this box. Anything else is already there if you use latest Kali. No need to use additional tools, scripts, etc. at all (except one to maybe simplify/automate your enumeration ;-)).

  • Oof. That was a fun, definitely learnt a few things. Need to go back and understand how the foothold was actually gained though, as I just used something out-of-the-box from msf.

    Foothold - As others have said - enumerate lots, check software versions for known vulns, google. I spent a long time staring at that main website because I forgot to do a certain type of enumeration, but fuzzed my way there in the end.

    User - Not sure whether I did this the right way, but this took me the longest time by far. Once you have a foothold, try to find out 'where you actually are'. Once you understand that, just have a look around. An old enumeration script ended up pointing me in the right (?) direction.

    Root - Again, enumerate, you'll find something interesting.

    Can't say I had any of the problems with 502's I'm seeing people talk about though

  • Can someone please help me .... ?. I stuck for many days

    I got a reverse shell (highly unstable one), but it's just a dumb shell and there is nothing much I can do with that, I have tried several ways to upgrade to a full interactive shell but I have no luck with that. I need help to move forward

  • Rooted. Fun box but wouldn't it was easy.

    Foothold:

    • Nmap and google are your best friends here, get the software version and search for known vuln and eventually you will find the right article
    • You may encounter some dependency issue, if you do use g*****-r**** c****** instead of r**** c******

    User:

    • Enumerate, there are some pretty good scripts out there. Read the output carefully. if you can't crack it, you can change it. Don't forget to reset the machine if you choose to change it

    Root:

    • More enumeration, there is a very interesting file read what it does and manipulate

    Feel free to PM for nudges and to remove if too many spoiler

Sign In to comment.