Friendzone - HackTheBox

@humurabbi said:

For root: pspy can be helpful

+1billion

It was a nice box, although a bit of CFT-like to get the user part.

For privesc to get root I used “lse”: GitHub - diego-treitos/linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels and I found the flaw very quickly (using -l1 verbosity)

For privesc the target is clear if you do your basic enumeration. You do not need a tool.
You do not need to follow any snakes, just follow your privesc routine and snakes will follow you. Read those informative files you have access to. Check permissions on things.

Wondering if anyone can PM me regarding root. I did lots of enumeration but the problem with being new to this is that sometimes it might be staring at my face and I won’t see it.
So by accident (i think some people left some files in the /home directory) I started suspecting it has to do with “E***4”. but still lost as how to proceed . . .

I did and learn a lot … still fight for user access !!!
I did enumerations, get cred, have names, … but still :frowning:
Any help is more than welcome…

Got root. Thanks a lot @BigDaddy for help.
Lessons learned. don’t echo to the files. It may not work. Try nano or vim or vi.
PM for hints.

Box was fun.
Thx @askar

:wink: :+1:

Type your comment> @humurabbi said:

Rooted Successfully.
Hint for user: The only reason this machine is difficult is due to large number of rabbit holes. So the first you need to identify and dodge them. Look for the comments to identify them
For root: pspy can be helpful

Hack the box

Most helpful comment! Thank you!

wow user…

enumerate everything (obviously).

Now there is definitely a rabbit hole troll type part to user which I spent a lot of time on.

Focos on a certain page where you can use something else you found. Then focus on connecting how the place you found the useful thing is connected.

I transferred and I got stuck in the admin page. Credentials worked, but it leads to a dead end. I tried enumerating that subdomain, but that lead nowhere. Any hints?

I’m stuck so hard at the t##es####…I have two separate PHP file uploads and realize the second parameter isn’t what it seems - although I am really drawing blanks. ive tried so many paths and tampering the params - not seeing LFI on this like someone else mentioned previously?

Type your comment> @prodlsd said:

I’m stuck so hard at the t##es####…I have two separate PHP file uploads and realize the second parameter isn’t what it seems - although I am really drawing blanks. ive tried so many paths and tampering the params - not seeing LFI on this like someone else mentioned previously?

There’s one there, but you have to know where the directory paths lead. There’s more to LFI’s than …/…/…/…/file

@sh3lbst3r said:
I transferred and I got stuck in the admin page. Credentials worked, but it leads to a dead end. I tried enumerating that subdomain, but that lead nowhere. Any hints?

It tells you where to go next :slight_smile:

Type your comment> @dispareo said:

Type your comment> @prodlsd said:

I’m stuck so hard at the t##es####…I have two separate PHP file uploads and realize the second parameter isn’t what it seems - although I am really drawing blanks. ive tried so many paths and tampering the params - not seeing LFI on this like someone else mentioned previously?

There’s one there, but you have to know where the directory paths lead. There’s more to LFI’s than …/…/…/…/file

I know, that’s the part that’s killing me too. I’ve tried to prefix my paths with lots of path guessing (based on what I saw from the other service as well), null bytes, snytax adjustments and haven’t gotten anything yet. I feel like it’s SO obvious too and I’m missing it lol

I know, that’s the part that’s killing me too. I’ve tried to prefix my paths with lots of path guessing (based on what I saw from the other service as well), null bytes, snytax adjustments and haven’t gotten anything yet. I feel like it’s SO obvious too and I’m missing it lol

If you enumerate the Brazilian dance (and how they are mapped) it eliminates the guesswork :wink:

stuck on dashboard, any hint ?

stuck on dashboard, any hint ?

Brazilian dance

Type your comment> @pzylence said:

stuck on dashboard, any hint ?

Brazilian dance

yes, but i’m no allowed to navigate to another paths !

Type your comment> @D4Vinci said:

Type your comment> @gokuKaioKen said:

 any idea where is this admin thing?

In the same boat, everything that requires login doesn’t work with it

on a same boat…

Type your comment> @overwrite said:

stuck after grabbing creds.txt, please help (tried enumerating port 53, totally lost)

on a same boat mate…