Official Writer Discussion

Official discussion thread for Writer. Please do not post any spoilers or big hints.

«13

Comments

  • Can anyone create the instance, it shows 'Machine is not released yet' for me

  • For me it's the same. I see the countdown in the old htb dashboard - more than 2 hours left

  • Hmm, been enumerating for hours and found.... nothing!

    f1rstr3am

  • Agreed. I have been trying some elaborate enumeration ideas and have found nothing! I would not know it was a Linux box if it wasn't for the machine description on HTB. I see some folks have already owned it so I know it is possible.

  • edited August 1

    I don't know why I cannot ping the machine. I have changed vpn servers, recreated the instance, still no luck. What am I missing? (btw. this only happens in release arena, works normal in regular machines)

  • Type your comment> @m1r3x said:

    I don't know why I cannot ping the machine. I have changed vpn servers, recreated the instance, still no luck. What am I missing? (btw. this only happens in release arena, works normal in regular machines)

    I'm getting the same issue...

    Hack The Box

  • Type your comment> @mostwantedduck said:

    Type your comment> @m1r3x said:

    I don't know why I cannot ping the machine. I have changed vpn servers, recreated the instance, still no luck. What am I missing? (btw. this only happens in release arena, works normal in regular machines)

    I'm getting the same issue...

    Same same...

  • I had strange timeouts yesterday so I gave up not knowing if it was HTB infrastructure or perhaps a WAF doing its job. Today I realised that my manual approach using a tool did not work but when I dumped file from Burp Suite and let it work with that it seems to work. I can´t see why but I am obviously missing something in the request. Gonna go back later and learn from it, now I at least have found something to work with.

    f1rstr3am

  • So I feel like normally boxes don't require brute forcing but does anyone know if it needed here? I feel like I've hit a wall otherwise, any insight is appreciated!

  • There is no brute forcing needed. You can try simple owasp top 10 attacks

  • I hit a blind man with a stick and here I am still waiting while I read something h4h4

  • This is extremely timeconsuming. I think I know what I want to exfiltrate but I don´t know where it´s stored. And it takes forever to read avery byte. User in 2 hours... I am impressed.

    f1rstr3am

  • Type your comment> @f1rstr3am said:

    This is extremely timeconsuming. I think I know what I want to exfiltrate but I don´t know where it´s stored. And it takes forever to read avery byte. User in 2 hours... I am impressed.

    Maybe being blind is not the right way to read files ;)

    As you have found the permission, try different ways of reading files ;)

    Hack The Box

  • Type your comment> @f1rstr3am said:

    I had strange timeouts yesterday so I gave up not knowing if it was HTB infrastructure or perhaps a WAF doing its job. Today I realised that my manual approach using a tool did not work but when I dumped file from Burp Suite and let it work with that it seems to work. I can´t see why but I am obviously missing something in the request. Gonna go back later and learn from it, now I at least have found something to work with.

    Last night I gave up scanning for anything, this morning scanning I'm finally seeing open ports!

  • I am trying to exploit what I found in the web code. But get stuck on the payload. Can someone give me a hint?

  • Type your comment> @Kalimoe said:

    I am trying to exploit what I found in the web code. But get stuck on the payload. Can someone give me a hint?

    If you are trying foothold from this, I don't think this is the right way.

    Hack The Box

  • Got user. My hint would be not to bother using the automated tool for this one. It takes far too long

  • edited August 2

    Got user but stuck on privesc. Do I have to do anything with the other vhost?

    Kevoenos

  • Type your comment> @Kevoenos said:

    Got user but stuck on privesc. Do I have to do anything with the other vhost?

    How did you get the user then? :)

    Hack The Box

  • Got creds for a service. Don't know where to go from there. I would gladly take a hint :/ PM me!

  • Type your comment> @FQuen said:

    Got creds for a service. Don't know where to go from there. I would gladly take a hint :/ PM me!

    Enumerate which files you can edit ;)

    Hack The Box

  • Type your comment> @jsarmz said:

    Type your comment> @Kevoenos said:

    Got user but stuck on privesc. Do I have to do anything with the other vhost?

    How did you get the user then? :)

    Probably the unintended way, by bruteforcing.. I'll try it the intended way first then.

    Kevoenos

  • Finally Rooted :smile: my first machine done a few hours after release!

    User was quite complicated, since my enumeration process did not pick up everything. The tool I used for the foothold did help in some way, although I ended up copying the generated payload and used it by hand at the end.

    Root was fun - the initial foothold is right there, however the system does bite back so it is absolutely crucial to understand what happens on the system :wink:. I ended up taking multiple steps to get root.

    Very fun machine overall (although it took me more time for user than I expected), although I am not sure if there are multiple ways to exploit it since there are some services that I did not use at all in the end.

  • Was able to use an OWASP top 10 vuln and found I can read various files on the server. Does not seem like I can find the ones I need to, however :-)

  • Nice box, rooted.

    Try!ng Hard3r, N3v3r G!v3Up.

  • edited August 4

    Privesc to root : can't have a proper reverse shell !!
    (user j*** not in group m*******)

    Any help ?

  • edited August 3

    well, rooted. Funny box

  • Spoiler Removed

  • Rooted. Priv esc was a lot easier than foothold imo, although I got trolled for a while by my shell after getting user j**n

    [email protected]:~# id
    uid=0(root) gid=0(root) groups=0(root)
    
  • Rooted, forgot the basics.
    Thank's sharkmoos

Sign In to comment.