SecNotes

189111314

Comments

  • edited December 2018

    Rooted

    Initial Foothold:
    Do not try to brute force in any service with any user, think of a way to pass yourself as administrator using two words (seen in other machines), If you can not enter use all the forms, they are there for some reason

    User
    Once you achieve it you will have more clues, you must enumerate the maximum with Nmap and you will achieve a shell

    Root
    It was really difficult to get to root, at least I could never see it that way if it were not for the clues: You will need a stable shell, use Google, once you get it think about Torvalds ... and use creativity to do something unique in the system, once you do, you must become a "traveler in time" and you will find it

    Nice box! :)

  • edited December 2018

    Okay, it is my understanding at this point it is si******** as the entrypoint. However, I wanted to make sure that was teh case as some basic X testing seems to trigger as well. If it is s**I******** could somebody please DM me? I've tried some basic ones at the log in form and I'm not even getting any error messages that would lead me to believe i'm moving in the right direction. Thanks ahead of time.

  • Hey all, I have gained access to the web app, and logged into what I believe is the service of interest, I'm also able to upload files, but not sure of the approach to get RCE? Im also not 100% sure im in the right service, if anyone could PM me I would be grateful :)

  • got root.. mimi bunz was the hardest tbh cus i do not have experience with a particular webapp exploit.

  • Okay got user - but now completely stuck on priv esc. Got a simple webshell and tried every one liner reverse windows shell on the internet as well as trying various payloads but the box keeps deleting them when I try and run them....

    Any hint in the right direction I would be very grateful!!!

  • @samsepi0l said:
    Rooted

    Initial Foothold:
    Do not try to brute force in any service with any user, think of a way to pass yourself as administrator using two words (seen in other machines), If you can not enter use all the forms, they are there for some reason

    I guess I don't understand the clue... I've seen IppSec's N******** video and I did what I had to do. I got the hashes from the u**** table. I don't really understand where to go from here

  • Rooted. Thanks @r00tk1d and @Baikuya
    I am still learning, the user was not that hard, mentioned OWASP top10 will help with that. Priv esc uses an interesting feature of win10. God how I love delorians!

  • Can someone PM me a hint on how to solve the 500 error for the initial foothold? I think my query is wrong but I have no idea how to modify it to bypass the error

  • just rooted! Root was pretty simple, all the hints are inside this thread. PM me if you need some advice!

  • Can someone give me a hint in the right direction. I think I found all the services via nmap. I also used S**i to find username and a hash. Am I supposed to crack it? From previous post I feel like that I am missing something

  • So i got access to 'special feature' no prob. I don't see anyone mentioning what im thinking i could use (if i could hard reset the box without its filesystem reverting back to 0) but i am probably wrong. I've only seen one mention of it in the hints, that the thing you're supposed to use to escalate is related to the users home folder ? Not talking shortcuts. seems like those processes start at startup and modifying them wouldnt make a difference unless i could run them again with elevated rights which doesnt seem logical. should i fux those or walk away ?

  • I have gotten the user flag, but cannot find a proper way to get to the root flag. The "new" feature of this box works seemingly ok when running simple commands and scripts with it, but I'm still in none-priviledged mode, so I cannot access the required folder(s). Any hints on how to proceed? PM me, please.

  • @KuroiKuro said:
    Can someone PM me a hint on how to solve the 500 error for the initial foothold? I think my query is wrong but I have no idea how to modify it to bypass the error

    I have same issue.
    can anyone PM with some help.

  • @ashr said:
    So i got access to 'special feature' no prob. I don't see anyone mentioning what im thinking i could use (if i could hard reset the box without its filesystem reverting back to 0) but i am probably wrong. I've only seen one mention of it in the hints, that the thing you're supposed to use to escalate is related to the users home folder ? Not talking shortcuts. seems like those processes start at startup and modifying them wouldnt make a difference unless i could run them again with elevated rights which doesnt seem logical. should i fux those or walk away ?

    Haha, got it. There was a nice tip in a prior post. Tx m8, i should read better.

  • any one can give me some hints please ?

  • Is anyone having trouble keeping a session up for more than 30 seconds?

  • edited December 2018

    stuck at S**i, would appreciate a nudge. :astonished:
    EDIT1: got it
    EDIT2: rooted. interesting privesc :lol:

    sanre

  • I can use some help guys :)
    Can someone pm me ?

  • Rooted !! well that really was not the priv esc i initially assumed it to be .... but a fun box

  • someone can send me some clues ? im blocked, this is my second machine :|
    no spoiler, i find one thing usefull ma i dont know how can i use it

  • Finally rooted!! That privesc concept was pretty cool, but i totally made it harder on myself with rabbit holes.

  • Well... Im feeling kind a dumb, but im not able to manage where to start the injection I tried in all pages... :scream:

    dplastico
    OSCP-OSCE

  • Rooted finally. Special thanks to @sanre and @PercyJackson35!
  • @dplastico said:
    Well... Im feeling kind a dumb, but im not able to manage where to start the injection I tried in all pages... :scream:

    same :/ I'm using htb to learn so I don't know a whole lot. s****p doesn't work and any s**i returns 500. I feel really stuck. Can anyone give me a nudge?

  • eXzeXz
    edited December 2018

    Rooted, thanks to the creator. Fun box.

  • @eXz said:
    Also stuck, any SQL injections keep returning 500 error. Not sure how to get initial foothold would appreciate any hints.

    im on the same, maybe is something very odd but I tried all fields also tried the 2nd lvl atack but getting the same error 500

    dplastico
    OSCP-OSCE

  • Finally box rooted, it was really cool. At the beginning I lost a lot of time in the first steps, but when I saw the obvious things, it was possible to continue the way.

    Good luck to anyone and anything can send me PM

    Hack The Box

  • I solved that part but now i dunno what to do. the files keep changing even after a reset? is this intended behaviour?

  • edited December 2018

    I am seriously stuck on this :( Mas***n doesnt work and nmap takes too long. I cannot find another open port. Please PM me
    EDIT: does nmap take that long on everyone elses pc or is it just me?
    EDIT 2: Got user!

  • got root! pm me for hints, I won't give you the solution!

    TheJ0k3r

Sign In to comment.