Carrier

@EvilMonkee said:

@ASHacker said:

@ZeusBot said:
Guyz im strucked in s**p port enu i got interested result SN******* from that port. any idea. give me some hint?

i just want to know how did you get this result SN****** i tried to google about port 1*1(s**p) but got no clue…

Look at how to enumerate that service

@EvilMonkee said:

@ASHacker said:

@ZeusBot said:
Guyz im strucked in s**p port enu i got interested result SN******* from that port. any idea. give me some hint?

i just want to know how did you get this result SN****** i tried to google about port 1*1(s**p) but got no clue…

Look at how to enumerate that service

Thank you that was a great help to let me think from other way

I’ve been able to get a reverse shell, although i don’t really understand why i spawned into this machine and not on the web server (maybe i’m in a VM).
I think the next step is to find some info on the server on the subnet which is given in the ticket. However when I log in with ftp, it’s empty. I really don’t know what to do.

@nessaj said:
I’ve been able to get a reverse shell, although i don’t really understand why i spawned into this machine and not on the web server (maybe i’m in a VM).
The web server does not execute the code on its machine. there is a persistent ssh connection from the internal host to the web server, and the web server sends the commands you give it thru the ssh tunnel to this other host.
So your RCE is basically being funneled to another machine

got root…thanks for those who helped me a lot…pm for hints…

Why jrgdiaz is resetting the system???

I am stuck with the reverse shell on the website, if anyone can give me a hint, that would be great.

Hi,
the string i got from the MIB doesnt seem to work on login page.
Tried all of the combinations i could think of. A hint please ?

cool. got user with RCE. now to move onto root. PM me if you need hints with user… but yeah RCE is all you need, then you just need to “locate” the file :+1:

I have a shell, got user.txt , I’m ‘root’ , I’m pretty far, but stuck at privesc. I’ve read that it’s a must to have knowledge about CCNA routing/switching, Maybe someone would like to teach me a bit :slight_smile:

How did you guys enum S***. I’m using S***-C***** and the results i am getting are blank. I am using the public s**** on the correct port? Any help?

Guys the root is brain F**K and i don’t now why the review is so low. The difficulty is 10/10…You have to have CCNP to solve it. Even if you have CCNA you will not find the answer. Please be more objective when review a machine

Finally obtained root flag. Awesome Machine. I am just a month old in HTB and this was the hardest machine for me. Really learnt a lot. Special thanks to @tobor and @Tract0r for helping out.Pm for hints if needed.

Oh boiiiiiiiiiiiiiiiiiii!

Got root. Such an asymmetric box… got user in about 20 mins (half of that waiting for the nmap scan). Took a couple of tries to get root. Let’s just say that you need to brush up on networking. There was an earlier comment saying you need your CCNP, I’d say it’s not that extreme if you’ve hung around corporates for a bit and have been on the technical side, but if you haven’t had any network exposure I’d suggest reading up on different forms of network abuse. Hark back to your uni days and think on the OSI model, look at the tickets on the dashboard, and you should start to piece things together.
Happy to give out oblique and barely understandable hints via PM…

Super fun box though, the dopamine hit is noice!

Also, finally I will add, there’s one step where you can accidentally make the box unavailable, however I found that the RCE still worked, and could just blindly undo what I did to break the box without restarting.

@roastymaus said:
Super fun box though, the dopamine hit is noice!

Yeah, when I saw that root.txt it was a pretty good feeling, after how long it took

@TheInnocent said:
rooted. My hints for this box:

  • for user, don’t stop at the very first nmap scan, use full potential and enumerate every service. Reading everything in the web portal will help. Once inside, try to play with the only interesting parameter you see in burp to obtain a shell

  • for root you don’t have to do much but you’ll have to KNOW much about a certain service. First thing, run enumeration scan, then try to read as much as you can about how things like that work

"Reading everything in the web portal will help. Once inside, try to play with the only interesting parameter you see in burp to obtain a shell. "
love you Bro you save my time. it took 15-30 munites to identify .

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint >please!

I am in the same, can anybody give me any hint ?

@nutss said:

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint >please!

I am in the same, can anybody give me any hint ?

Just create password list from what you got with a different combination and try it.

@Lucyn said:

@nutss said:

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint >please!

I am in the same, can anybody give me any hint ?

Just create password list from what you got with a different combination and try it.

That’s not really necessary - you just need to consider that maybe part of the string you got isn’t the value, but the key.