Ethereal

@MinatoTW said:
Try or Die!!! Don’t let the box pwn you

Searched through 4 labs and the free one yesterday to find a box where the lnk stuff is working properly. Does not get executed (the lnk works when I execute as Alan) and not get replaced. Have been trying for 3 days and over 15 hours now. Won’t let the sh*te box pwn my life.

Probably Jorge is slacking as usual and already in his holiday break.

:-1: :angry:

There’s been a problem with the task which helps in getting the payloads executed. The mods have found the problem and the box should be fixed soon.

yep, has been fixed now! apologies for any inconvenience

@egre55 said:
yep, has been fixed now! apologies for any inconvenience

Thank you guys!

Still trying to recover from the Ethereal experience I did “The Purge” today and reinstalled my Kali image. After trying to wipe the synapses from the experience I thus also got rid of all the “binary remainders”. This is what my doc suggested.

Special thanks go to all that helped me during the difficult time :wink:.

what a journey! the hardest box I did on HTB until now. learned again some new tricks. But struggling with the annoying non-functioning lnk feature cost so much time although doing it the intended way. Overall still thumbs up as it was fixed.
Thanks to the good guys @opt1kz and @SamBugler for support.

PM for hints

Also leaving my testimonial in the I-survived-Ethereal self-help group :slight_smile:

It took me ages to find the ‘key’ to the entry point despite some good hints in this forum. Thanks all!

On the path to owning the user I recognized the 'hing I have to use, but nearly gave up on it as I made a mistake on testing it … Thanks @spoppi for pulling me out of some rabbit holes! Lesson learned: If everything is super locked down, better cross-check all your ‘test’ procedures on a local system twice - otherwise you can’t tell ‘locked down’ from ‘your mistake’.

I found owning root a bit ‘easier’ but only because I was accidentally familiar with some technology involved here. But still I nearly overlooked something ‘obvious’ that maybe should be part of default enum. I turned this into an unnecessarily complicated (?) - yet super interesting - forensics challenge instead.

But I really enjoyed all the rabbit holes and the learning experience a lot - thanks @MinatoTW and @egre55, this was one of my favorite boxes!

Hi guys,

Can some admin/moderator check if the J***** is on PTO of US VIP 10? I did replace the l*** file and tried a lot of payloads, but it seems not being executed by J*****. I can see that the file changes (date and size). When I use the A*** account and execute the payload through the RCE it woks, by I really believe that j*** is on a EoY vacation. Some admin (or HR member) can verify it for me?

Cheers,

hey maycon,

I just checked US VIP 10 and it looks okay (he’s definitely not on holiday!)

it may be worth manually running what you are trying and seeing what the outcome is :slight_smile:

Cheers

@kekra said:
Also leaving my testimonial in the I-survived-Ethereal self-help group :slight_smile:

It took me ages to find the ‘key’ to the entry point despite some good hints in this forum. Thanks all!

On the path to owning the user I recognized the 'hing I have to use, but nearly gave up on it as I made a mistake on testing it … Thanks @spoppi for pulling me out of some rabbit holes! Lesson learned: If everything is super locked down, better cross-check all your ‘test’ procedures on a local system twice - otherwise you can’t tell ‘locked down’ from ‘your mistake’.

I found owning root a bit ‘easier’ but only because I was accidentally familiar with some technology involved here. But still I nearly overlooked something ‘obvious’ that maybe should be part of default enum. I turned this into an unnecessarily complicated (?) - yet super interesting - forensics challenge instead.

But I really enjoyed all the rabbit holes and the learning experience a lot - thanks @MinatoTW and @egre55, this was one of my favorite boxes!

well done, glad to hear it taught something! cheers!

Thank you, mates! I don’t know what I was doing wrong, but I restarted the machine few times and start from the beginning following a well defined path. I think that other users was replacing the **k file with a infinite time command, so when the file was opened it was impossible to re-overwrite it. Anyway, after few resets everything was working as expected.

I got a shell (user.txt) and with a bit of effort it was possible to get the root.txt. It is such a great machine. Thank you makers. I learned some new tech and very useful stuff about Windows env.

Cheers,

@kekra said:
Also leaving my testimonial in the I-survived-Ethereal self-help group :slight_smile:

It took me ages to find the ‘key’ to the entry point despite some good hints in this forum. Thanks all!

On the path to owning the user I recognized the 'hing I have to use, but nearly gave up on it as I made a mistake on testing it … Thanks @spoppi for pulling me out of some rabbit holes! Lesson learned: If everything is super locked down, better cross-check all your ‘test’ procedures on a local system twice - otherwise you can’t tell ‘locked down’ from ‘your mistake’.

I found owning root a bit ‘easier’ but only because I was accidentally familiar with some technology involved here. But still I nearly overlooked something ‘obvious’ that maybe should be part of default enum. I turned this into an unnecessarily complicated (?) - yet super interesting - forensics challenge instead.

But I really enjoyed all the rabbit holes and the learning experience a lot - thanks @MinatoTW and @egre55, this was one of my favorite boxes!

We’re glad that you enjoyed it !

I’m in ping point… I need some Hint so please PM

I’m having problem on running po. do I need to configure something on dosbox?
The program just “page fault”. How do I know if the downloaded cwsdpmi zip is correct?

P.S. Do I really need to go deep in this hole?

First thx for the creators. Also thx credits to @MrR3boot @xct @Dutyfruit and @cornholio .

So as a unix guy: this was horribe… :slight_smile: but learned a lot.

HINT: in most cases your biggest enemy is You. I had a typo, a small letter in a path name in my LAB and I copy pasted this folder name badly from first time…. 2 days sent to trash. So as this is a very complicated and "experience a lot on your own machine” VM, always double check, dont hurry!

@n1b1ru said:
I’m in ping point… I need some Hint so please PM

ippsec video about ping back, i think

Exhausting and time consuming, yet you learn a lot. User and root are both a challenge here.

@peek said:

@n1b1ru said:
I’m in ping point… I need some Hint so please PM

ippsec video about ping back, i think

I finally got the user flag…

I’ve tried four different ways of creating m** files, and they work on my local windows VM but apparently when r**** checks them they do nothing - yes I am doing something to them with the thing that can be found in the other folder/is referenced in his note.

The struggle is real. Would appreciate a hint.

@rewks said:
I’ve tried four different ways of creating m** files, and they work on my local windows VM but apparently when r**** checks them they do nothing - yes I am doing something to them with the thing that can be found in the other folder/is referenced in his note.

The struggle is real. Would appreciate a hint.

I’m in the same boat. I think there is another piece missing to what needs to be done, but can’t quite get it yet.