Vault

Can someone give me a small nudge? Do I need to enumerate 2 .php files in /s*******s ? I am not able to guess correct username/password and second file is just echoing error? Or am in wrong direction?

i am stuck with ovpn config …I tried to put some config and get a reverse shell in first machine using nc pointing to the correct interface …Can anyone help ?

thanks

Atlast got the root flag …
Happy to help …pm me

I’ve gotten the user.txt flag and I think I found what most are talking about in the log file but I can’t seem to get much to work from it. I’ve got Vault’s IP and it seem to only like a certain port. Not completely sure how to get this working.

Edit: finally got into Vault. Now I’m stuck with the g** file.

Edit: Rooted. Wow !

stuck at D** to V**** part, got all(?) the info(history lesson,123), I think I understand the main idea but don’t know how to do that.
Can anyone help?

rooted couple of days ago, was an interesting box for me, I recommend it for folks preparing for OSCP.

If someone could PM me with a hint on the move from D** to V**** it’d be much appreciated. I cannot seem to find the log file that people here are talking about and I feel like I’m missing something obvious

Hi all,

Am stuck. I’ve managed to login to D*** and now trying to pivot. I’ve setup tunneling and now trying to get callback from o*** but nothing I do seems to work. Also I’ve tried to login to V** service but no luck.

Can someone please give me a tip ? I’ve read through this topic twice :frowning:

Cheers!

Got user and root today, amazing box for learning how to pivot. Had me doing lots of googling but all worth it. Learnt a lot :slight_smile: I liked the touch of GPG :stuck_out_tongue: Made you practice exfiltration

Type your comment> @sk41 said:

Thanks @clmtn for the help! I am on the right track, but it seems that the website functionality to update the *.**pn file is not working properly (on eu-free)…frustrating.

Hi,
that Comment made me thinking… I am on EU-VIP-15, but am stuck at the *.**pn part. I made a “dynamic” Tunnel, to access the thing where i can play with the *.**pn file. But “Update file” always hangs.
Is it a problem i need to solve myself or is that supposed to work and just broken? Please help!

Well… got a connection and the userflag. But not sure if it was the intended way. Can i PM someone about that?

Type your comment> @Timuuh said:

Type your comment> @sk41 said:

Thanks @clmtn for the help! I am on the right track, but it seems that the website functionality to update the *.**pn file is not working properly (on eu-free)…frustrating.

Hi,
that Comment made me thinking… I am on EU-VIP-15, but am stuck at the *.**pn part. I made a “dynamic” Tunnel, to access the thing where i can play with the *.**pn file. But “Update file” always hangs.
Is it a problem i need to solve myself or is that supposed to work and just broken? Please help!

After several resets on the machine, so the function is supposed to work and just broken.
But I saw you got the connection, and userflag. Congratz! :slight_smile:

I wouldn’t mind comparing some notes with other people who have finished this box. What tools do you use for pivots? I personally can’t stand the SSH syntax!

hey folks,
can someone give me a hint how to do a file tranfser from v***? I’m pretty shure I have everything to get root flag but I’m going crazy on how to transfer the key.

if anybody needs help up to this point feel free to ask.

Very challenging box! Very real life. Reminds me of good old OSCP. Thanks to @sk41 and @RyanW18 for helping me on the very last step. Me brainfarting it.

Type your comment> @DrDingDong said:

Very challenging box! Very real life. Reminds me of good old OSCP. Thanks to @sk41 and @RyanW18 for helping me on the very last step. Me brainfarting it.

No worries mate, I agree very good box :slight_smile:

Type your comment> @0x29A said:

For example, if someone wasted six hours digging through an ISO, maybe they’ll think twice about doing that again next time they run across one and mark it low priority. Maybe they’ll take note about what the ISO contains (could be a hint) and just continue on. Maybe they’ll learn how to md5 or sha1 the ISO file and see if it’s a stock image. If it’s not, maybe they’ll learn how to diff the ISO file with a stock ISO so they aren’t forced to dig around the entire thing.

Similar lessons may be learned from just about any rabbit hole.

Look at IppSec’s videos and how quickly he dismisses most rabbit holes. You think he does that in practice? I do. How do you think he learned such intuition?

Regarding things like login rabbit holes: at each layer in the hacking process, you should follow the standard steps. The first being recon. For example if you see a login form half way through your recon process and you immediately start hitting it with a brute force, you’ve just violated modus operandi. It’s not until that doesn’t even work that you continue your recon…so why not have continued that in the first place in order to gather all of the puzzle pieces? I like to call them “dots.” Once you have all the dots, you’ll have the beginning of your attack surface graph. You can start performing more systematic research on each of their attack vectors, forming relationships with other dots, and determine routes to your final goal. Finally, you can map out the shortest cost, least noisy, shortest path, etc to reach your goal. Most, if not all, of the rabbit holes at this point will be obvious in your graph.

Learning how to be pragmatic and how to frame your problems accordingly may not always save you time, but it will save you the headache of guessing and working with unknowns and eventually dissolve your reliance on script kiddie tools and methodologies. Most importantly (imho), it will make you quieter in real life encounters.

Edit: Slightly off-topic rant: To all of the cheaters out there: This is a learned skill. A talent. An art. And it’s required. If you request help from someone and they provide a spoiler, either discard it or learn from it, don’t live by it, and certainly don’t pass it on. If you must (e.g. team member, close friend, or something), explain to them what you learned from it rather than just copying & pasting the solution, because that does neither party any good. Plus, spending the extra ten minutes it takes to digest the solution and explaining it to yourself and then to your friend will totally be worth it, trust me. For example: Someone asked me for help on a simple binary exploitation. I could’ve just pasted him my ~50 byte payload and maybe tried to answer some questions following that, but instead I took 20 minutes out of my day and wrote a fairly detailed write-up specifically for him on how it was done. It taught him how to do it, I learned a couple things merely explaining each individual step, and if he ends up sharing it, so be it… there’s no copy & paste solution, just reading material for others. Sure there’s a leader board, but we don’t – shouldn’t be measuring epeens here, we’re all intellectuals. We should all think of ourselves as students and teachers. Do your part in the community. Learn together!

This is gold!!!

Got Root, great box, my first taste of pivoting… really enjoyed it… thanks heaps @nol0gz

Stuck on initial foothold. I’ve enumerated up to /s********/d*****/u******, but it 403’s… I’ve used dirsearch and gobuster both with multiple wordlists looking for .php/html/txt files and i"m not finding anything…

A previous tip mentioned something about VIP users trying a different server, I’ve tried 2.

I would appreciate a hint/nudge. Forum or PM.

Much appreciated!

edit: Got it, thanks!

tough box, learned a lot. one of my favorite so far on HTB.