Ypuffy

1568101116

Comments

  • Thanks to @robel1889 for the hints, they was of great help.

    Props to @AuxSarge for this machine, this was a great educational box - I still have questions about this box which I am looking into (the fact that even after I've rooted, I'm still looking into various tools to understand them better - ie why doing X doesn't work, but doing Y does work - show how good this box is for learning)

    User flag isn't difficult, it's getting root that's tough but worthwhile. Great box.

  • edited October 2018

    With help from the excellent @sayyeah, managed to get user this morning (helps when you type the names right, folks). Pretty lost on root, I have a harebrained idea about using s**-*****n to generate a cert ain file and maybe use that to curl up into the mostly dead service, but I'm pretty sure that's not it. More enumeration while I ponder, I suppose.

    EDIT: I think my original idea is a dead end, I'm just plain lost now. :/

  • edited October 2018

    @jfredett said:
    With help from the excellent @sayyeah, managed to get user this morning (helps when you type the names right, folks). Pretty lost on root, I have a harebrained idea about using s**-*****n to generate a cert ain file and maybe use that to curl up into the mostly dead service, but I'm pretty sure that's not it. More enumeration while I ponder, I suppose.

    EDIT: I think my original idea is a dead end, I'm just plain lost now. :/

    Although I don't know what you mean by "the mostly dead service", I am pretty sure that your original idea is a good one. ;)

  • @bbz0r Oh? Maybe I just didn't do it right. Hmm. My attempts at playful vagueness were unclear, but, uh -- it's the one service yet unused in any significant way, the one with the s*****h endpoint

  • @jfredett Ah! Got it (hence the verb you used ;))! So, that endpoint will probably provide crucial information to use in s**-*****n (I say "probably" because there are 2 similar endpoints but only one provides the desired info) .

  • @bbz0r Yah, I found one of the endpoints (the one with c*.**b) by looking at the config for that service, the s*****h endpoint is interesting because it seems to correspond to an interesting file that b*****1 had, but I haven't quite figured out how to exploit it yet. I'm guessing that that file that b******1 had might describe something useful later, right now I'm still trying to figure out exactly how I can use this certain file. I'm not really familiar with this kind of usage, so it's definitely a learning experience.

  • This box was a very cool way to learn about new systems and commnds, especially the priv esc.
  • Can I pm someone on priv esc. Ive enumerated the web service, and the structure of the requests its wants, but I dont get anything other than what I currently have in hand. Will + rep for assistance.

    If any HTB users have helped you with a challenge or hint please consider giving them +respect on their profile.
    Here is mine is you would like to do so.
    https://www.hackthebox.eu/home/users/profile/50326

  • Thanks to a nodge in the right direction from @23Y4D I finally got root. Cool box and cool learning experience!

  • Can someone give me some tips about the priv esc. I have managed to get past from alice**** but not to root for some reason. Been struggling with it for few days :D

  • With help from the estimable and esteemed bbz0r, rooted. This was a really cool privesc, Great box!

  • edited October 2018

    Cannot seem to get the right parameters to s**-k*****n? Anyone giving me a nudge here??? If so, please PM me.. thnx!!

  • Can anyone help me get root just got user.txt and im stuck
    pm me

  • edited October 2018

    Can someone PM me a hint for syntax? I've tried everything I can think of with 3 different tools to connect to the service. With all of those I've tried the different ways of handing over hash value. Nothing seems to be working.

    EDIT: Finally got it!

  • edited October 2018

    removed

  • a very good read

    https://code.fb.com/production-engineering/scalable-and-secure-access-with-ssh/

  • i've seen the principal, but I have no idea what he is saying or how to apply it....anyone? nudge?

  • would appreciate any tip for PE. was able to login and find the keys. however couldn't leverage those to get root.
    please PM

  • Great Machine @AuxSarge. Learned couple of new things. Pm for hints if needed.

    Draco123

  • I manage to log in as b*** with d*** and s**-k***, but I fail to see the privesc. I've seen certain conf files, but I just don't see how this could lead me to root. Seems like I'm stuck.

    Uvemode
    OSCP | eCPPT |

  • Can someone PM me because i think i'm missing something, having some problems with ssh. Double checked everything.

    sanre

  • edited November 2018

    oh, nevermind... i had the stupidest typo of my life...

    sanre

  • Rooted. This box really need to understand those key information like ds .cf and s**_c****g. and read about how to sign a key.

    Thanks those who had helping me.

  • Probably the best box I've completed so far, learning experience, real life scenario, overall a great experience. Props to the creator of this one!

  • Can anyone give me a hint (DM) on privesc? I've been playing with s**-****** and read the interesting article that someone pasted here the link but I am missing something.

  • @drUIdmoz said:
    a very good read

    https://code.fb.com/production-engineering/scalable-and-secure-access-with-ssh/

    Thanks, good article :) Got root !

  • You are in room 4 of the cave, and have 2 arrows left.
    whoosh (I feel a draft from some pits).
    sniff (I can smell the evil Wumpus nearby!)
    There are tunnels to rooms 1, 7, and 9.
    Move or shoot? (m-s) s 9
    thwock! groan crash

    A horrible roar fills the cave, and you realize, with a smile, that you
    have slain the evil Wumpus and won the game! You don't want to tarry for
    long, however, because not only is the Wumpus famous, but the stench of
    dead Wumpus is also quite well known--a stench powerful enough to slay the
    mightiest adventurer at a single whiff!!

    found wump on the box: hoping @AuxSarge will give me the root flag for killing wumpus on his box, I'm so easly distracted yet so obsessively compulsive ( 40 mins of ols fashoind game play :) )

  • Try Harder definitely applies here.
    After some more exploration and paying more attention to detail I was able to obtain root.
    Great box, learnt new things that's for sure.
    Thank you.

  • ok so user was easy and straightforward, if you know the correct syntax to use, but root was definitely hard for me as I didn't know about ca authority, thanks to @ZaphodBB for spoonfeeding me the privesc, learned a lot great machine @AuxSarge . If you need any hints you can PM me.

  • Amazing experience with this machine, thanks @AuxSarge!

    Puzatik

Sign In to comment.