Carrier

How did you guys enum S***. I’m using S***-C***** and the results i am getting are blank. I am using the public s**** on the correct port? Any help?

Guys the root is brain F**K and i don’t now why the review is so low. The difficulty is 10/10…You have to have CCNP to solve it. Even if you have CCNA you will not find the answer. Please be more objective when review a machine

Finally obtained root flag. Awesome Machine. I am just a month old in HTB and this was the hardest machine for me. Really learnt a lot. Special thanks to @tobor and @Tract0r for helping out.Pm for hints if needed.

Oh boiiiiiiiiiiiiiiiiiii!

Got root. Such an asymmetric box… got user in about 20 mins (half of that waiting for the nmap scan). Took a couple of tries to get root. Let’s just say that you need to brush up on networking. There was an earlier comment saying you need your CCNP, I’d say it’s not that extreme if you’ve hung around corporates for a bit and have been on the technical side, but if you haven’t had any network exposure I’d suggest reading up on different forms of network abuse. Hark back to your uni days and think on the OSI model, look at the tickets on the dashboard, and you should start to piece things together.
Happy to give out oblique and barely understandable hints via PM…

Super fun box though, the dopamine hit is noice!

Also, finally I will add, there’s one step where you can accidentally make the box unavailable, however I found that the RCE still worked, and could just blindly undo what I did to break the box without restarting.

@roastymaus said:
Super fun box though, the dopamine hit is noice!

Yeah, when I saw that root.txt it was a pretty good feeling, after how long it took

@TheInnocent said:
rooted. My hints for this box:

  • for user, don’t stop at the very first nmap scan, use full potential and enumerate every service. Reading everything in the web portal will help. Once inside, try to play with the only interesting parameter you see in burp to obtain a shell

  • for root you don’t have to do much but you’ll have to KNOW much about a certain service. First thing, run enumeration scan, then try to read as much as you can about how things like that work

"Reading everything in the web portal will help. Once inside, try to play with the only interesting parameter you see in burp to obtain a shell. "
love you Bro you save my time. it took 15-30 munites to identify .

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint >please!

I am in the same, can anybody give me any hint ?

@nutss said:

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint >please!

I am in the same, can anybody give me any hint ?

Just create password list from what you got with a different combination and try it.

@Lucyn said:

@nutss said:

@shaboti said:
Enumerate port 1*1 and get SN…, try to use it as pwd for login but no success? Any hint >please!

I am in the same, can anybody give me any hint ?

Just create password list from what you got with a different combination and try it.

That’s not really necessary - you just need to consider that maybe part of the string you got isn’t the value, but the key.

Hello, i cant login into the app even though i found the ‘special string’. I know people say its easy but I am stuck in this for a day so any help would be appreciated.
Thanks

Hey guys I did the login, now I am in the web app, but I don’t know much about web applications, I used burp to intercept de requests and it show me the *** parameter, should I try to make a sql injection or anything like this ? If you have any hint, internet tutorial or video on youtube to the next step I will be grateful!

@nutss said:
Hey guys I did the login, now I am in the web app, but I don’t know much about web applications, I used burp to intercept de requests and it show me the *** parameter, should I try to make a sql injection or anything like this ? If you have any hint, internet tutorial or video on youtube to the next step I will be grateful!

Check you Inbox

Getting was pretty simple and fast, then I’m now on the way to root.txt.
I’ve setup a reverse connection and enumerated many config files and try to understand how qa works, used v console as well but can’t figure what is the next move to do
if anyone having resolved the step can give me a bit of explanation, it will be great, I don’t want a spoil but a way to the good direction

I enumerated the port, and found the S**** string , dont know how to login in to the app, stuck here from past few days, please help.

Any hints on how to get root after getting the shell? Stuck.
Is it something to do with Quagga Bgp ?

Hey Guys,

Got RCE but I’m stuck at shell. Tried a bunch of things with ch**k variable (e.g nc), no luck.

Can someone give me a hint in private or is available to discuss the machine?

Thanks,


Got it, trying to get root now. If someone wants to discuss the machine, pm.

is the box down?

Finally, I got root. It was not easy. Thanks to @roastymaus , @The5thDomain and @marine for helping me out. I am not sure this would consider a spoiler, but for priv esc you can search for “b** q****a attack” and click on the first link on google. That should give you a start