Hawk

11214161718

Comments

  • @Phrenesis2k said:

    @drUIdmoz said:
    okay this config file- I don't know where you guys are finding a password in plain text; I've looked through enum scrips; did lots of manual enum; like lots and lots of manual enum... grepped everything for 'pass' or 'password' also; find / -name "config"/"password" etc etc... went back to my nmap... looked through all the directories disallowed... i'm just like... lost where is this plain text password..... someone said it was straight forward... O.o ...

    I can't tunnel without some ssh cred action.... used curl to check out the H2... but I can't do anything with it.

    ....atleast from my current understanding... help guys?

    I hope this isn't to much of a spoiler. But maybe you should check where the config settings are stored for the CMS this server is running.

    I have to be looking right over this, or right at it... but I'm just not seeing it.

  • @drUIdmoz said:

    @Phrenesis2k said:

    @drUIdmoz said:
    okay this config file- I don't know where you guys are finding a password in plain text; I've looked through enum scrips; did lots of manual enum; like lots and lots of manual enum... grepped everything for 'pass' or 'password' also; find / -name "config"/"password" etc etc... went back to my nmap... looked through all the directories disallowed... i'm just like... lost where is this plain text password..... someone said it was straight forward... O.o ...

    I can't tunnel without some ssh cred action.... used curl to check out the H2... but I can't do anything with it.

    ....atleast from my current understanding... help guys?

    I hope this isn't to much of a spoiler. But maybe you should check where the config settings are stored for the CMS this server is running.

    I have to be looking right over this, or right at it... but I'm just not seeing it.

    I've send you a message.

  • What...I am slow, but I got it...now to get faster....root is done

    cslatt05

  • finally decrpting .enc file is done but then what ?!?!

    I have tried to login web interface and/or ssh with default usernames and found password but no luck!! Is that password maybe wrong? but i have tried at decryption process all type of d***** at that tool and i found just one password.

    What is happening ? :anguished: :(

    Wainright

  • I've learnt a lot thanks to this box! If I can give you an advice concerning privesc: don't overcomplicate it. Feel free to PM if you need help!

  • edited October 2018

    Having some trouble with the file you get from f**. I know what it contains, and I've done the first step, got the tool that everyone talking about, but I don't know the encryption type, so I made a bash script to recursively go through each one. The script runs, but it's stopping after checking the very first algorithm.

    Can someone take a look at my bash script and see if they can figure out what I'm doing wrong?

    EDIT: I figured it out. I put in a break and it was halting the script after the first algorithm! :D

    Curve

  • Nice machine, had fun creating my own script for the decryption part because most of the tools weren't working. A bit disappointed for privesc...

  • This was a great machine, thanks for creating one that was a challenge each step of the way. Good stuff! ::rootdance!::

  • what a fun box, went right through the front door, no tools, got the .enc havent bothered with it yet, got user, then my vpn connection dropped and I lost my foothold for root priv esc. oh well, be back at it tomorrow.

  • Finally rooted ... great fun was had , got some good nudges without giving it away.

    Hack The Box

  • Got root...pm for hints...

  • edited October 2018

    i have decrypted the file, got some info from this, but i don't know where to use them.. i don't know how to take advantage of the w**-p*****.. pm would be appreciated.
    EDIT: found that, working on root now

  • Again i am replying my own question :) , but of course thanks for little tips at the road..

    For .enc file decrypting: after found a candidate password, i was not knowing anything about this description aim. I was using that password at website, ssh or other services. So if you are at same position, read about those decryption purposes and what is that password should be used for???

    For privesc: it was a different environment and different shell type for me. For this box, "most didnt like part" for me was finding credential of d***** ssh user, i hope there is another way of finding this password, after that i didnt read root.txt with Poison like method, i worked locally and drink some h2o :) i tried Poison like method but i couldnt execute any commands from my own remote box, we can discuss our methods if anyone PMs. Thanks for this box, it was a long journey @mrh4sh ;) :astonished:

    @Wainright said:
    finally decrpting .enc file is done but then what ?!?!

    I have tried to login web interface and/or ssh with default usernames and found password but no luck!! Is that password maybe wrong? but i have tried at decryption process all type of d***** at that tool and i found just one password.

    What is happening ? :anguished: :(

    Wainright

  • edited October 2018

    hi,
    I have user.txt and I am able to login d***** account with credentials over ssh. But after that I am not able to reach the root.txt. How do I connect to h2o? pm would be appreciated.
    Thanks in advance

  • edited October 2018

    Hello everyone. This was my first box. I tried for almost a week to get started and then I realized I was an idiot and that the .enc file was there all the time.
    After a while I got root.txt.
    Problem is I didn'e get root and I'd like to do it.
    Some suggestions on privesc?

    EDIT:
    Nevermind, I found this --> hxxps://github.com/Hackplayers/hackthebox-writeups/tree/master/machines/Hawk

    epsequiel

  • edited October 2018

    anyone got some hints on the h20 login? I'm pretty sure i know how to proceed but need a correct Auth on that? Can someone give me a bit oif a hint on that?

    --- NVM, rooted... Was goin down the wrong Path, man i should watch out where i step...

  • edited October 2018

    I'm starting to give up on root.
    I enumerated as much as I could. I literally ran cat on every conf file I could find. I grepped directories for files containing password or containing the user d*****. I ran find to search for files containing conf, and I ran LinEnum.sh. Still no luck.
    I still cannot find credentials to access d***** user.
    Found a certain PHP file where there is a password for something. I cannot seem to be able to use it anywhere. I know I might need to use it on the "water". But I am afraid I don't know how to build a a bridge to help me pass through the water. And do I need user d*****'s password to do that?
    Anyone willing to give resources or hints on learning how to do that? Any help would be greatly appreciated. Please PM me to help ;-;

    EDIT: Realized the file I found did indeed contain the password to d***** user. I just didn't try it before posting for some reason :P

    EDIT2: Still struggling to get root. Tried to exploit the water thingy. It creates a zip file but the zip would be empty for some reason. No errors returned. Tried different priv esc exploits. Still no luck. Any help would be really appreciated.

    EDIT3: Nevermind. Got root! Was using the wrong exploit u.u

  • edited October 2018

    @valkyrix said:

    @w31rd0 said:

    @takuma said:

    @ghroot said:
    Can someone help to me about encrypted file?

    Bruteforce it

    is there a way to identify the encryption that has been used?
    or you go by trial and error?

    both, look into what the application that made that file uses, and probably their default values.

    That was the most helpful clue here.

    BTW. can somebody, who already got root explain one thing to me in PM?
    i did some stuff and can access this service, that is available from the localhost only.
    i logged in there using default credentials. however, i did not have an idea how to leverage it for the root that time.
    then, when i figured it out the password was not working anymore. does somebody keep changing it, or maybe i need to look for them somewhere on the machine?

  • Finally root, thanx alot @marine for the hint, actually root more easy compare user.txt, keep try harder dude :)

    banteng999

  • Would really appreciate a nudge here on what I should be focusing on after decrypting the file and logging in to the portal on port 80. Seems vulnerable to everything and nothing.....
  • edited October 2018

    Good god after trying for two days i realize that d***** password was changed! Anyway now im logged in as user but i have python shell any hints on how to get a bash shell? or any tips in any form are appreciated.

    I've exploited the hell outta the box by now i just need root, heck i even got a meterpreter running!

    Appreciate any nudges i can get :anguished:

  • Rooted! thanks for the nudge @BoiteAKlou !
    This box man :) will never forget these lessons

  • Got root, great box, thanks @mrh4sh

    dionero

  • Got root, thanks @ZaphodBB ! I would like to give some hints.

    1. When you try to decrypt the file, dont use the github tool, write a script. If you have the problem with one output file per password sort them by size.

    2. If you have access to this one service, google which configuration files the service has.

    3. You can get code execution by changing the configuration.

    4. You dont need a reverse shell. All files are in common places.

    If you ask for help, show your workings and what you've tried or I won't reply.

  • Got root. Turns out there are two ways to do this box, one is a little more manual than the other. This can cause a lot of the hints here to be confusing. If you feel like you're really close, you probably are, you're probably just overlooking something very simple like I was (seems that's always the case).

    Thanks again to the people who helped me. :)

    --Skunkfoot

  • edited October 2018

    alright, i have to admit i don't get it :P
    all the services i enumerated are refusing connections, the web page seems to be a red herring. i am totally lost. i have no idea where that encrypted file should be everyone is talking about. any clues?
    nevermind, i got the encrypted file. i just didn't read properly, gaaaah

  • Can someone give me hint, actually I m in final stage of prevesc, i could not find h2 db name and credentials to exploit

  • Can someone send me a PM about decrypting the file? I have the tool (i think) but struggling to decrypt it, tried a lot.

  • Do you need to make a user account on D****l to progress to get user? whenever i try it says it cant send the email to create the account.

    Any hints would be appreciated.

    Thanks!

    gwizwold

  • Could someone PM to make sure I have the right tool from Git Hub? It's not working for me.

Sign In to comment.