Vault

@nol0gz
Great box, the best from HTB boxes so far ! It was not very tough for me, I had the huge fun doing it, recalled some things and learned a couple of new. Thanks !! :slight_smile:

got root, learned a lot. PM me if you need help!

Its a box, in a box, in another box. How many new technicist did ii learn? About 4 or 5 new thing. It was tough for me, especially n**t. Taking off my hat in front of @tabacci and @cyb3reagle for help.

Edit: thanks @ZaphodBB for the nudge!

Rooted
user part is easy … i found two ways to get shell… i think it might be more
root part requires more effort to grab flag.

I’m totally stuck at the o**n RCE. Tried to execute bash revshell commands but no luck. Also the V*C port is just giving me black screens… Any hint on how I could get unstuck on this?

Nevermind… Got that part, on to vault now.

Rooted. Great box, so angry at myself to have missed so much information. I lost myself in the maze so many times without noticing.
User was a pain, root was super easy.

Did anyone got a root shell on V****? I wonder if there is a privesc or something?
If anyone got a root shell I would be glad to know how you can access it.

Got Root!!!
Amazing machine…
Must recommended for those who want to do some network pivoting and tunneling stuff.
Also thanks to @cyb3reagle for helping me in .ov***n part.

Type your comment> @dmaendlen said:

@humurabbi said:
Can anyone point me in right direction?
got first user d***. Found the webserver running on D** . But have no idea where to get .o**n file

write your own

This is a good one -:slight_smile:

Removed

Nice host, it was fun.
The only what I’m wondering about the purpose of restricted shell by the end.

Type your comment> @janewilde said:

It’s never too early to start discussing a new box!
Still enumerating, only found one 403 page :slight_smile:

did you get it ?

rooted: Finally came home… thank you all that helped me… you know who you are

I like this Box. Found a lot of ways to upload my code, but until now no way to get it executed. I can just open and read my code. Or it is going to be interpreted as a picture by the browser. Still dont know how to avoid that.
I will continue learning about bypasses. Already taught me a lot :slight_smile:
Thanks for such a nice Box!

getting shell and D*** user is easy as ■■■■ once you found the directory…took me less than 1 min to get into the ssh…but i guess from now on i’m gonna suffer…

Can someone give me a small nudge? Do I need to enumerate 2 .php files in /s*******s ? I am not able to guess correct username/password and second file is just echoing error? Or am in wrong direction?

i am stuck with ovpn config …I tried to put some config and get a reverse shell in first machine using nc pointing to the correct interface …Can anyone help ?

thanks

Atlast got the root flag …
Happy to help …pm me

I’ve gotten the user.txt flag and I think I found what most are talking about in the log file but I can’t seem to get much to work from it. I’ve got Vault’s IP and it seem to only like a certain port. Not completely sure how to get this working.

Edit: finally got into Vault. Now I’m stuck with the g** file.

Edit: Rooted. Wow !