Official Spider Discussion

Official discussion thread for Spider. Please do not post any spoilers or big hints.

«1

Comments

  • So I'm officially lost. I think I have an idea of what the foothold might be related to, but lost and not sure why or to what end this needs to be decoded.
  • m9sm9s
    edited May 30

    del

    Feel free to PM me, asking for clues and nudges

  • Was seeing web page last night when started work on box. Now only getting HTTP 500 Internal Server Error on almost every endpoint despite multiple instance resets. ¯_(ツ)_/¯

  • @jps3 said:
    Was seeing web page last night when started work on box. Now only getting HTTP 500 Internal Server Error on almost every endpoint despite multiple instance resets. ¯_(ツ)_/¯

    Same here... Is the machine broken now?

  • edited May 30

    Type your comment> @jps3 said:

    Was seeing web page last night when started work on box. Now only getting HTTP 500 Internal Server Error on almost every endpoint despite multiple instance resets. ¯_(ツ)_/¯

    same here, but try gobuster... some links are working

  • For all of you experiencing this issue, maybe try resetting the machine and also deleting your cookies? Might help out.

  • Type your comment> @elveskevtar said:

    For all of you experiencing this issue, maybe try resetting the machine and also deleting your cookies? Might help out.

    Machine has been reset multiple times, including stopping and walking away for hours starting a new instance, as well as both Kali VM and host machine being shut down in between. Cookies are deleted every time browser closes.

    Still encountering HTTP 500 Internal Server Error, which did not occur the first two times working on Spider. So, assuming something broken on HackTheBox's end.

  • Type your comment> @jps3 said:

    Type your comment> @elveskevtar said:

    For all of you experiencing this issue, maybe try resetting the machine and also deleting your cookies? Might help out.

    Machine has been reset multiple times, including stopping and walking away for hours starting a new instance, as well as both Kali VM and host machine being shut down in between. Cookies are deleted every time browser closes.

    Still encountering HTTP 500 Internal Server Error, which did not occur the first two times working on Spider. So, assuming something broken on HackTheBox's end.

    Yep I had to switch from release arena to VIP to get it to work. Even then eventually i had an issue but i reset the machine, I wasted hours thinking the internal 500 error was supposed to be there. Silly me.

  • any hints for foothold ?

  • I was convinced I had something wrong last night, but now I think I was on the right track and it randomly quit working. It's true if I go to the 'classic' interface I can spawn a VIP instance but I'd rather not share such an unstable machine with anyone else, either.

    jessica0f0116

  • Plenty of other boxes to work on. This feels a bit like one that'll be retired quickly, perhaps? Happens sometimes. :-(

  • 💀kali)-[~/HTB/Spider/privesc]
    └─# ssh [email protected] -i id_rsa 130 ⨯
    Last login: Mon May 24 14:22:35 2021 from 10.10.14.2
    [email protected]:~# id && hostname
    uid=0(root) gid=0(root) groups=0(root)
    spider
    [email protected]:~# ls
    root.txt

    Hack The Box

  • I did got the foothold. It's not even that hard (could maybe be medium even, though I haven't tried the privesc just yet) just rtfm and google around. It's a little frustrating that it didn't work right but if you're having issues just reset it a few times or wait I guess, lol.

    jessica0f0116

  • I solved the 500 by going to https://www.hackthebox.eu/home, the old site, and starting an instance from the "all machines" page instead of using the app vhost and launching it in release arena.

  • edited May 31

    As for getting the foothold and user: figure out what you can control, figure out what your limitations are, establish something that works. One thing leads to the next, so don't go off in a totally different direction if you get stuck. This machine really points you where you need to go, which is nice; I've enjoyed this one a lot.

  • I think this box is what covid came from....

    :) lol thanks @infosecjack this mother was a monster but you hit my itch and I hardly slept since release. :D mmmm that got root bed time vibez!

  • if they had to throw 500 internal server error all over, what is the benefit of box being inside release arena. if i solve this box, am gonna give it the lowest score for sure.

    Eat-Sleep-Shit-Repeat Security
    kragle
    If I helped you, you may +1 with respect

  • sometimes that 500 is a bad cookie or something.

  • No, there is definitely an issue with the box.

    jessica0f0116

  • Deleting the cookie from your browser helped me resolve 500 errors. Resetting does not seem to help

    ruskii

  • edited June 1

    maybe there was an issue on the backend sending the response object. it's something totally unrelated to request cookie, and only manifesting in release arena. trust us guys we're not crazy lol. maybe it was resolved by now or ephemeral, idk i already finished this box.

    jessica0f0116

  • edited June 1

    got root. Dm if need help with steps you did.

    Eat-Sleep-Shit-Repeat Security
    kragle
    If I helped you, you may +1 with respect

  • edited June 1

    Rooted right now. Really a nice a machine!!
    For 500 response errors, delete your cookies, if you have deleted them restart the machine.
    User: don't overthink it is all in front of you, be sure to look on all pages available. If you know how it is built you can control it. Don't trust your eyes and trust what have you seen until now. Fight your limits, the backend technology provides you all the the bricks you need.
    Root: it is not too different, think to what the server evaluate..

    DM me if you need hints.

    bytevsbyt3

  • one of the best box i played recently, excellent to explore this kind of vulnerability.

  • Amazing box, really enjoyed playing with the payloads :)

    Hack The Box
    Click here for HTB Profile: You are welcome to contact me for a nudge, but if I help you, please consider giving respect.

  • Oh dear...seems like an epic fail on enum for me. I only see a small number of endpoints and have tried the usual attacks on them but not getting anywhere. Gobuster turned up nothing that I couldn't get with manual review - any nudge for what I'm missing?

  • edited June 12

    Rooted.
    Foothold/user: analyze carefully what is in front of you. A specific issue will allow you to do nice stuff that will help you "secretly" recover something. Iterate this issue and finally you'll land on target.
    Root: enumeration is key, once you uncover something look beyond what you see. Analyze everything something odd should not be "allowed"! For me this was the first time I used this kind of scenario within HTB so it was cool to learn something new.

    Thanks for the box!

    alemusix

  • Rooted. User part was new to me. Root was a bit easy or I would say straightforward

  • Nice box. Learned a lot.

  • Phew! What a box, what a thrill, what a ride!!!

    It took me a LONG time to exploit this box. Foothold, user and root were completely new to me. Thanks a bunch to the creator of this box - I enjoyed it a lot!!

    No new hints from me, reading through previous posts should give you all you need.

    DM for hints!

    image

Sign In to comment.