So just as a preface, im rather new to this. I was able to get the user hash after about an hour or so and was quite thrilled with myself. However root is proving to be a bit more complicated. I think i have an idea but haven’t gotten far with it. I think i may have something to do with the hidden HPFS filesystem. Am i barking up the wrong tree here?
I just got this, but I’m not sure if it was the ‘right’ way to go about it. Follow the breadcrumbs they left for you, the data is still there.
Do these breadcrumbs go beyond the usb? And in my opinion, the “right” way is the way that gets you what you want 
Just remember that EVERYTHING in Linux is a file. Think about what basic commands can be run on files.
@likwidsec said:
Just remember that EVERYTHING in Linux is a file. Think about what basic commands can be run on files.
this
I may need to sleep on what you guys are saying. Theres probably something simple im overlooking. i feel like im SO close tho. its driving me up the wall. I can see what i think is the file i need in testdisk, but i cant seem to undelete it.
i guess they had to go and make the root difficult since techincally getting root was just as easy as user. Might have to start calling myself hansel after this.
What if you didn’t need to ACTUALLY undelete it though? Knowing that EVERYTHING in Linux is a file (including Hard Drives) … how could you retrieve the plaintext strings that are/were in a file?
(mods feel free to edit my post if that’s too “spoilerish” please)
I think i get what youre saying, atleast in principle. I think right now my lack of knowledge in linux and the tools/cmds available is whats holding me back. Im not a complete noob but definitely not a sysadmin level.
I would like to say thanks tho, i know its difficult to guide people when you dont know what they know and you cant flat out give it away. ( not that id want you to either, theres no satisfaction in it!)
@Axkicker said:
I think i get what youre saying, atleast in principle. I think right now my lack of knowledge in linux and the tools/cmds available is whats holding me back. Im not a complete noob but definitely not a sysadmin level.
I would like to say thanks tho, i know its difficult to guide people when you dont know what they know and you cant flat out give it away. ( not that id want you to either, theres no satisfaction in it!)
For sure. I especially don’t want to just GIVE you the answer, since nobody learns anything that way. But I don’t mind helping nudge you along in the right direction. Just think about what you need to do overall. So you need to figure out how you might access a drive that you are unsure of how to access. Research the linux commands to show you what hard drives exist on the system. Research the commands that can show you how much hard disk space remains on said system. Research commands that will show you the contents of files. You have your answer. Good luck. 
Well i feel dumb. Ive seen it atleast 3 times in the last two days. THANK YOU tho for your help! Feels better to have two roots now xD
I’m right in the root part and it’s intriguing. So, what you guys are saying is that we don’t need any additional tool to get the root hash, just using tools already installed, and built-in Linux tools is enough to get root hash?
Edit: indeed, NO need for any additional tool, just basic Linux commands… This machine is so easy that it turns out a bit “hard”, because people (like me) won’t believe it was “this” and “that” to complete this machine…
@JChris said:
I’m right in the root part and it’s intriguing. So, what you guys are saying is that we don’t need any additional tool to get the root hash, just using tools already installed, and built-in Linux tools is enough to get root hash?
Edit: indeed, NO need for any additional tool, just basic Linux commands… This machine is so easy that it turns out a bit “hard”, because people (like me) won’t believe it was “this” and “that” to complete this machine…
This machine is one of the more “CTF-Style” machines on HTB. Some people like boxes set up like that. Some people do not … I personally am one of the ones that do not. But they are all a good learning experience.
@likwidsec said:
@JChris said:
I’m right in the root part and it’s intriguing. So, what you guys are saying is that we don’t need any additional tool to get the root hash, just using tools already installed, and built-in Linux tools is enough to get root hash?
Edit: indeed, NO need for any additional tool, just basic Linux commands… This machine is so easy that it turns out a bit “hard”, because people (like me) won’t believe it was “this” and “that” to complete this machine…
This machine is one of the more “CTF-Style” machines on HTB. Some people like boxes set up like that. Some people do not … I personally am one of the ones that do not. But they are all a good learning experience.
I got the root access and I notice I have to recover the file from device. I did some research on google but still no luck. I tried lsof | grep xxx but no result and also "file lost+found/* | grep… too but not working either. May I know what kind of basic linux commnad can do or any hints? thanks!
Try researching commands that will let you mount a device in Linux and maybe commands that show the amount of hard disk space that is currently used and the amount that is currently remaining. Basic Linux stuff. Finally, research any commands that perform manipulation/exploration of the contents of files. Remember that everything in Linux is ultimately a file. Even physical devices. Good luck.
Thanks for your commend and some one also pm me some hints. All are valuable and finally, I got the content.
I found that the command I google before not working because I not clear some concept of linux, I confused the mapped device and physical device path.
A very good lesson to learn on linux command.
don’t overthink this puppy! Wasted a couple of days overthinking this one. With the tips provided here you should have all you need to own this one
need hint of linux command to recover file ??
everything is a file…
how do you look inside a file on linux?
@likwidsec said:
What if you didn’t need to ACTUALLY undelete it though? Knowing that EVERYTHING in Linux is a file (including Hard Drives) … how could you retrieve the plaintext strings that are/were in a file?(mods feel free to edit my post if that’s too “spoilerish” please)
Thank you for your help.
No extra tools are needed, just linux commands