Hint for TartarSauce!

I’m working on root and a bit tripped up at the differences if anyone wants to bounce some ideas off each other.

i got the loging in fristry so that is defenetly rabbit whole i start to enumrate more and got some thing that some thing i enumrate it with some thing else there are some vurnibilities but i have not worked out how to exploit it mm…

that being said becare full this machine has too many rabbit holes…

@3mrgnc3 said:

@w31rd0 said:

@3mrgnc3 said:
Remember

The box is intended to be a TryHarder style lesson in the following…
- 1. Do full enum process of everything first.
- 2. Don’t dive right into the first thing you see.
- 3. Check for false positives and false negatives.
- 4. in real world pentesting (the whole point of practicing in htb?) not everything thing is usefull.
- 5. Don’t be a retar``tar:astonished:
after every post of yours, where retartar is mentioned, i feel even worse for myself, wasting time on rabbit holes. at least i got user.
still no root though

maybe re, tar, tar isn’t an insult…
…maybe…

…just maybe…
…it’s…

..shhhhh.

(whispers) … a clue.?

lol you just giving out too much clue :slight_smile: haha

i am stack on using some thing to read some thing and get a flag mybe tar, some thing else lol

@0d1n said:
Finally got it!!! Once the tunnel vision cleared I was good to go. Thanks for a great machine!

is because you only have one eye.

Rooted! Wow that was a tough priv esc but so cleverly put together! Mad props to the makers even if @3mrgnc3 is an absolute troll lol. PM me if anyone needs a hint at any stage of the box.

@smit2300 said:
Rooted! Wow that was a tough priv esc but so cleverly put together! Mad props to the makers even if @3mrgnc3 is an absolute troll lol. PM me if anyone needs a hint at any stage of the box.

??

$ file 
ȜӎŗgͷͼȜ_5h377: ASCII text, with very long lines

What is it tho? gzip -c for root shell? :disappointed:

Hi, i feel completely stupid, i’ve been stuck for a week trying to get inside this box.
I’ve enumerated all the directories listed in robots.txt and found an app that seems like a dead end even though i can access as an admin.
I’ve found other application with a login page that seems to be broken but can be easily fixed; found the username through it’s api and tried every password that has come into my mind without luck, tried brute forcing it but every attempt takes forever and it has some kind of anti brute force system, i’ve even tried using system.multicall…
I’m going crazy, can anyone give me a hand?

@Relwarc17 said:
Hi, i feel completely stupid, i’ve been stuck for a week trying to get inside this box.
I’ve enumerated all the directories listed in robots.txt and found an app that seems like a dead end even though i can access as an admin.
I’ve found other application with a login page that seems to be broken but can be easily fixed; found the username through it’s api and tried every password that has come into my mind without luck, tried brute forcing it but every attempt takes forever and it has some kind of anti brute force system, i’ve even tried using system.multicall…
I’m going crazy, can anyone give me a hand?

Yup, I’m in exactly the same spot here.
Given how many have solved its got to be something fairly obvious. Keep coming back to ‘re’,‘tar’,‘tar’ as the hint but what I’ve tried hasn’t worked so far.

@Relwarc17 @bobthebuilder As somebody said in this discussion earlier: Maybe you don’t need the password for the other app. When this app is vulnerable what are typical attack vectors? How could you enumerate those despite the app is broken? There are several ways how you spot the interesting thing - focus on the interfaces that are not broken, use the tool that brought you here again, …

can one PM me a hint about how to read root flag I have user.txt

@kekra said:
@Relwarc17 @bobthebuilder As somebody said in this discussion earlier: Maybe you don’t need the password for the other app. When this app is vulnerable what are typical attack vectors? How could you enumerate those despite the app is broken? There are several ways how you spot the interesting thing - focus on the interfaces that are not broken, use the tool that brought you here again, …

Thanks for the tip @kekra. Went back and ran everything again (this time through my proxy to verify) and the tool showed what I was looking for and now have shell. Now on to user/root.

need assistance with root. Can’t figure how to t** again.

Like everyone else, I’m stuck on the priv esc…I can see what’s happening and I can “break” the “process” but I have no idea how to get code execution from all this.

I thought I got the reference to the box name and have enumerated with dirb the second service with that extension, am I totally on the wrong path?

Finally rooted! Man did I hate this box so much. It was a good box nonetheless :slight_smile:

@Bear said:
I thought I got the reference to the box name and have enumerated with dirb the second service with that extension, am I totally on the wrong path?

Thanks to a great pointer telling me that was not the path… finally got User, this box is abusive on the brain. :smiley:

i need some help for getting initial foothold anyone ? :slight_smile:

Hi, can someone give me a small hint for initial access? I was able to login to one application as admin, but couldn’t leverage it to get shell. Also, I enumerated the 5 folders from the r*****.txt file and couldn’t find any other “interesting” file.