Vault

@SharkBoi13 said:
You don’t need to generate the lists, only have to figure out what extensions are allowed. Php has different extensions, you should look up File Upload Restrictions Bypass for PHP. I hope this is not a spoiler.

Got it and a shell

Edit: shell max for 1Minute, not enough time to explore the server. Have to wait for more stability of the box

Got user, looks like my tunnel did not work for whatever reason, maybe the box was overloaded, but it does now.

Onto root!

Thanks @Skunkfoot

Ugh, so i just wasted allot of time because someone screwed with the server and the initial site couldn’t be found. :angry:
After a restart all was fine again. I usually restart the server before i start working on it, skipped it this time and this is the thanks i get…

Well I am kind of lost at the point where you might use o****** to gain another reverse shell eventually. I already found that one article mentioned by @Skunkfoot. But I cannot manage to get a reverse shell. I guess I am missing something. Is anyone up for discussion?

So it’s correct there is no user.txt when I logged in to dv via S*H ?

I have not visited the forum here for a while now, and I don’t think I will again any time soon. It is rather disappointing to see how many spoilers there are on a box that is not even 48 hours past release yet. You guys are practically telling everyone how to do the whole box.

  • end of rant / carry on…

That’s a fair opinion. Like I said, feel free to report it, it won’t bother me at all. My intent is to help people understand the general tasks that need to be accomplished so they don’t waste hours downloading and messing around with a random iso image, for instance. I don’t think people really learn anything by wasting time with rabbit holes (even if they’re unintentional).

@Skunkfoot said:
That’s a fair opinion. Like I said, feel free to report it, it won’t bother me at all. My intent is to help people understand the general tasks that need to be accomplished so they don’t waste hours downloading and messing around with a random iso image, for instance. I don’t think people really learn anything by wasting time with rabbit holes (even if they’re unintentional).

People definitely learn something wasting their time with rabbit holes. Whether it’s a positive experience or not, it doesn’t necessarily mean they’re a waste of time. Rabbit holes hone critical thinking and are a real world problem.

@0x29A said:

@Skunkfoot said:
That’s a fair opinion. Like I said, feel free to report it, it won’t bother me at all. My intent is to help people understand the general tasks that need to be accomplished so they don’t waste hours downloading and messing around with a random iso image, for instance. I don’t think people really learn anything by wasting time with rabbit holes (even if they’re unintentional).

People definitely learn something wasting their time with rabbit holes. Whether it’s a positive experience or not, it doesn’t necessarily mean they’re a waste of time. Rabbit holes hone critical thinking and are a real world problem.

Good point :slight_smile:

For example, if someone wasted six hours digging through an ISO, maybe they’ll think twice about doing that again next time they run across one and mark it low priority. Maybe they’ll take note about what the ISO contains (could be a hint) and just continue on. Maybe they’ll learn how to md5 or sha1 the ISO file and see if it’s a stock image. If it’s not, maybe they’ll learn how to diff the ISO file with a stock ISO so they aren’t forced to dig around the entire thing.

Similar lessons may be learned from just about any rabbit hole.

Look at IppSec’s videos and how quickly he dismisses most rabbit holes. You think he does that in practice? I do. How do you think he learned such intuition?

Regarding things like login rabbit holes: at each layer in the hacking process, you should follow the standard steps. The first being recon. For example if you see a login form half way through your recon process and you immediately start hitting it with a brute force, you’ve just violated modus operandi. It’s not until that doesn’t even work that you continue your recon…so why not have continued that in the first place in order to gather all of the puzzle pieces? I like to call them “dots.” Once you have all the dots, you’ll have the beginning of your attack surface graph. You can start performing more systematic research on each of their attack vectors, forming relationships with other dots, and determine routes to your final goal. Finally, you can map out the shortest cost, least noisy, shortest path, etc to reach your goal. Most, if not all, of the rabbit holes at this point will be obvious in your graph.

Learning how to be pragmatic and how to frame your problems accordingly may not always save you time, but it will save you the headache of guessing and working with unknowns and eventually dissolve your reliance on script kiddie tools and methodologies. Most importantly (imho), it will make you quieter in real life encounters.

Edit: Slightly off-topic rant: To all of the cheaters out there: This is a learned skill. A talent. An art. And it’s required. If you request help from someone and they provide a spoiler, either discard it or learn from it, don’t live by it, and certainly don’t pass it on. If you must (e.g. team member, close friend, or something), explain to them what you learned from it rather than just copying & pasting the solution, because that does neither party any good. Plus, spending the extra ten minutes it takes to digest the solution and explaining it to yourself and then to your friend will totally be worth it, trust me. For example: Someone asked me for help on a simple binary exploitation. I could’ve just pasted him my ~50 byte payload and maybe tried to answer some questions following that, but instead I took 20 minutes out of my day and wrote a fairly detailed write-up specifically for him on how it was done. It taught him how to do it, I learned a couple things merely explaining each individual step, and if he ends up sharing it, so be it… there’s no copy & paste solution, just reading material for others. Sure there’s a leader board, but we don’t – shouldn’t be measuring epeens here, we’re all intellectuals. We should all think of ourselves as students and teachers. Do your part in the community. Learn together!

@0PT1MUS said:
I have not visited the forum here for a while now, and I don’t think I will again any time soon. It is rather disappointing to see how many spoilers there are on a box that is not even 48 hours past release yet. You guys are practically telling everyone how to do the whole box.

  • end of rant / carry on…

I reconsidered, maybe you’re right, I forgot how new this machine is still. Removed my post. :slight_smile:

@0x29A said:
For example, if someone wasted six hours digging through an ISO, maybe they’ll think twice about doing that again next time they run across one and mark it low priority. Maybe they’ll take note about what the ISO contains (could be a hint) and just continue on. Maybe they’ll learn how to md5 or sha1 the ISO file and see if it’s a stock image. If it’s not, maybe they’ll learn how to diff the ISO file with a stock ISO so they aren’t forced to dig around the entire thing.

Similar lessons may be learned from just about any rabbit hole.

Look at IppSec’s videos and how quickly he dismisses most rabbit holes. You think he does that in practice? I do. How do you think he learned such intuition?

Yeah good point, I’m pretty I actually learned how to check the md5sum from a rabbit hole I was exploring haha. And IppSec actually goes down some rabbit holes just to show why they’re rabbit holes!

OK i am in the first SSH but from here i dont have the knowlege to proceed to the next server. someone a link for me where i can study the next stepps?

And rooted! - What a fun box, I really liked the whole jumping hosts part.
The only downsite: As this is a new machine, so many people mess with things, or even do destructive things like nuking the home directory and so forth…I think it is time for me to get VIP and try those retired boxes.

Could anyone give me a way? I have gone to the page for uploading and have bypassed the filter but then when I move to /up****s/ directory and type (name of file).php or full name including those character it won’t show up tells 404

@Divyanshu said:
Could anyone give me a way? I have gone to the page for uploading and have bypassed the filter but then when I move to /up****s/ directory and type (name of file).php or full name including those character it won’t show up tells 404

Try other bypass techniques

@0PT1MUS said:
I have not visited the forum here for a while now, and I don’t think I will again any time soon. It is rather disappointing to see how many spoilers there are on a box that is not even 48 hours past release yet. You guys are practically telling everyone how to do the whole box.

  • end of rant / carry on…

Agree - general hints have been too detailed lately almost to the point where it becomes a walkthrough. I feel everyone needs to spend some time on the box before figuring it out. I think it’ll help cut down on the “i see a login page, let me bruteforce everything” approach

Nothing wrong with helping out however! :slight_smile:

Ok I am at the last stage but can not figure out what to do with the v.n stuff …

got to the 1*******.4 machine and VP and DS page… no ideas how to proceed, please point out a place to study for this step?

@0x29A said:
I could’ve just pasted him my ~50 byte payload and maybe tried to answer some questions following that, but instead I took 20 minutes out of my day and wrote a fairly detailed write-up specifically for him on how it was done. It taught him how to do it, I learned a couple things merely explaining each individual step, and if he ends up sharing it, so be it… there’s no copy & paste solution, just reading material for others. Sure there’s a leader board, but we don’t – shouldn’t be measuring epeens here, we’re all intellectuals. We should all think of ourselves as students and teachers. Do your part in the community. Learn together!

For me, this is the best thing about HTB. I have certainly had times where something has stumped me (often stupidly obvious things as well) and I’ve asked for help. I can’t tell you how grateful I am if someone can explain the solution to me, rather than give me an answer. If I can then understand it well enough to explain to someone else, all the better.

On the whole, everyone can approach HTB in whatever way they want - it doesn’t affect me. If they are in a rush to get every box and just want the flags handed to them, I don’t mind. They have as much right to experience it that way as anyone else. However, for me, I want to learn new things and explore ways of thinking I might not be used to.

am trying>>>