Stratosphere

1910111315

Comments

  • edited July 2018
    The user and all related content has been deleted.
  • edited July 2018

    Keep digging, what else can you find and work with on the box to get more info and maybe even credentials if that file doesn't work? Keep looking, or as they say here enumerate more.

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • got root but man good machine but bit lame at the end.. getting root.!

    overall good Box Thanks to the Creator

    Arrexel
    OSCP | OSCE half way!

  • I feel I've spent several lifetimes doing that :D Other than the stuff which screams out DB creds (and appear to work against the DB), I can't get it any further. I thought I was on to something with loads of what look liked config files but nothing yet.

    Still, back to stringing together long commands :-D

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake said:
    I feel I've spent several lifetimes doing that :D Other than the stuff which screams out DB creds (and appear to work against the DB), I can't get it any further. I thought I was on to something with loads of what look liked config files but nothing yet.

    Still, back to stringing together long commands :-D

    If the creds work, take a look inside.

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • That's where it seems to fail - I can get to the point where it "looks like" they work (I am open to a login failure that I haven't recognised though), but any attempts to issue exploration commands fails - with varying error's, I've not been able to get any sense out of them yet.

    So, at the very least, I can take away that I am probably on the "right path" - I just need to work out how to make it work, rather than spend months enumerating every readable file on the file system (I even toyed with the idea of creating a new webpage to see if that would do it).

    I supposed this is half the fun and all the learning of HTB :smile: :smiley: :dizzy: :smile:

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • The webpage idea is interesting. If you can't access it direct because of the access you have, what else could you read? May need a bit of sysadmin knowledge around it. PM if you need a nudge.

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • I'm a bit stuck at privesc. I think I know what needs to happen but I might be looking at the wrong stuff. Could someone shoot me a PM?

    Vex20k

  • I need help with privesc. I've already seen the privileges i have to run the script, i did it and the root script doesn't exist. I tried to edit the commands but password for user r******d keeps prompting. I saw the use of the debugger but it doesn't seem to work. What else can i do?

  • @Blastware said:
    I need help with privesc. I've already seen the privileges i have to run the script, i did it and the root script doesn't exist. I tried to edit the commands but password for user r******d keeps prompting. I saw the use of the debugger but it doesn't seem to work. What else can i do?

    Nvm, i got root, very interesting technique. I'll definitely try it with new machines!

  • edited July 2018

    @Bear said:

    @TazWake said:
    I feel I've spent several lifetimes doing that :D Other than the stuff which screams out DB creds (and appear to work against the DB), I can't get it any further. I thought I was on to something with loads of what look liked config files but nothing yet.

    Still, back to stringing together long commands :-D

    If the creds work, take a look inside.

    I'm able to run queries, but can't find anything in the DB. Am I on the wrong track?! took me hours to find the correct syntax :-) at least I'll remember how to do it :-)

    update: how is it possible you always get it right after posting ? :-)

    mrf1sh

  • @icyDux said:
    Got RCE working, found a few important files but i don't know how to escalate to user. I will be glad if someone wants to discuss this box.

    Hi, can you help me in priv, a lot

  • Rooted! Thanks to @Bear for helping with the last step of user.
    Finding user was a nice journey, it took me quite a lot. Getting to root was pretty straightforward, no need for enumeration in my opinion.

    Hints for user are all in the thread: enumerate with fairly large directory lists, you don't need a shell, find all credentials, watch out for syntax.

    Elio

  • Rooted! Thanks to @Bear @KouPreY @Blastware.

    Hint for all users.

    On initial foothold, it has something to do with action. So google.

    On getting the user, you will gain alot of information, but you will be limited in your capability. Some information is just right in front of you. You need to research on - if machine is going to fail, how do I backup and restore certain data.

    On getting root, once you are in, you need to remember that HTB philosophy is not about brute forcing. You may want to check an Priv Esc check list to gain more information. Certain functions rely on some modules, if we can redirect those modules, damage can be huge...

    wilsonnkwanl

  • hi @wilsonnkwan , wht r u mean by 'if we can redirect those modules, damage can be huge...' ??? hmmm would u pm me abt that ,

    Hack The Box

  • @Ju577Ry said:
    hi @wilsonnkwan , wht r u mean by 'if we can redirect those modules, damage can be huge...' ??? hmmm would u pm me abt that ,

    Bro, if you need help, you'll PM me :)

    wilsonnkwanl

  • Finally after 3 days i got user..Now working on root thanks to @batman786

    image

    ------- MrBlackHat -------

  • Ok finally i got root ..
    This box was really fun if anyone need hint i'm here to help.

    GOOD LUCK GUYS

    image

    ------- MrBlackHat -------

  • haha, finally rooted when i found what was right infront of me. Thanks to @MrBlackHat for pointing out the obvious.

    raystr

  • I am at a loss. I have gotten RCE with e******3.py and gotten the user and pass in tomcat-users, but I don't know where to use this at, am I missing something minor? The pass wont work in /m******

    cr4nk

  • Good day guys, I have the manager directory but I can't seem to get the username and password, any hint please?
  • Just got root :+1:
    Cool box. If someone needs help PM me :)

  • Ok, omg, this box was a hassle. It took me a while to get foothold, but its very easy to do, especially with some tips here.
    The hardest part for me was priv esc, until I just sat there and looked at my enumerated data.
    KEEP YOUR EYES OPEN. The priv esc to get root is right there in front of you.

    cr4nk

  • Trying to get a foothold. I see what 'actions' i have to take just not sure how to take them. any exploits ive tried dont seem to be working. can anyone give me a nudge in the right direction?

  • edited August 2018

    could someone can help me with the commands used to connect to that service as I don't even have a tty I don't know how will i connect to it. The commands which i am using to list something always giving me an error invalid option

    Edit: I am able to list databases but got nothing .. any help?

  • Can anyone DM for a nudge on getting user?

  • edited August 2018

    Is there anyone in here got root.txt in root shell? i've got root shell before the .py file is run but now i try again it's not work. I think it has more than one way to rooted this machine. Is there any problem here, can we PM to discuss about it?

    [Update 1]
    OK, it has 2 way to got root.txt at least, the 1st one is got root shell and got root.txt, the 2nd is some trick with a module. I did the 1st one in the 1st time but now it's not work and i think it's unintended way, i've just did the 2nd one to got root.txt again. Is there anyone rooted this machine to happy to discuss the idea?
    [Update 2]
    Ahhh, i think i've understood all the thing. Pri esc is cool and it has only a way to got it without solve the hashes. Thanks the author. If anyone need hint, feel free to PM and google is king.

    P/S: Some people who got root this machine should reset or delete all the file that they've created.

  • Woo that was a great box all around. Priv esc is extremely satisfying, props to @cr4nk for helping out! I'm open for a nudge if anyone's having trouble with priv esc or user.

  • OK, after 4 days (and waking up in the middle of the night with an answer which was correct) I finally got root. Getting root is easy if you know where to look. I did a huge facepalm when I got it.

    This is my hint for all who are starting with this machine:

    In order to find the right entrance you need to knock all the possible doors, not only the obvious ones. Then use a famous exploit and you'll be in. Then just follow the footprints all around ;)

Sign In to comment.