• Hi,I am stuck in the enumeration part. Is page and directory enumeration the way ? because it takes too long.

  • Hi, i just got the user.txt but i'm stuck on the root privesc , i try some enumeration on the network part , but that thing was overwhelming , can anyone redirect me the right path ??

  • Hi, I'm new to htb and trying my first box carrier. I'm stuck on how to get the reverse shell. Trying to parse Di*******c page and I'm sure information is hiding behind qu**** and b**, but I have scratching my head since long how to proceed further. Please help!!!

  • Any tips on the root side. I have user and investigating the routing configs but without success so far.

  • Type your comment> @8032 said:

    Any tips on the root side. I have user and investigating the routing configs but without success so far.

    Could you please help me with shell?

  • the base of this challenge is to teach you how a device can leak its info and how to get that. It also teaches you how to read between the lines, once You have done that it is your job to find a parameter to conduct a remote code execution attack

    guys for all wondering this if it was real could be considered a 0 day a few of them

    so this is by no means a box for people that do not know how and why command execution can happen!!!

    You should understand how the code is made just by succeeding.

    If not go google no one here can help you learn something that is not attainable at your skill level

    that is not meant as a disrespectful statement. That's like going to a school hey I am a teacher this is easy than flopping when a 8th grade student asks you how to multiply a polynomial

    Than it gets worse You guys want someone to explain to you how to partially pull of an attack demonstrated at Defcon lol

    there is a reason this is hard it requires you to understand networking zero day development and discovery as well as network administration

    I again do not mean to demean anyone or anything like that this challenge answered allot of questions I had I loved every second of it

    A few people gave me help and pointers and I helped others this was a fun experience but requires a level of knowledge no one here can assist you with

    take about 6 months google bg* and Cisco and Routing and networking and basic Linux sysadmin and shit than come back and ask for help.

  • Thanks for the cool machine snowscan! Got user in about 30 mins and privesc took about 11h with all the research and ironing out the kinks to finally get it to work. I knew in theory what I had to achieve early on but couldn't get it to work in practice which made the hours all the more frustrating but the perseverance paid of in the end.

  • i don't understand, am i supposed to banging my head against the wall in every machine!? even if it's easy?!,
    I got the creds but it didn't work on the login page !?

    No Hack No Life ✌😒
  • edited March 2019

    Hello all,

    So far got the user.txt now looking for the root.txt. I've seen the routes but can't figure out how to add it to the b*p conf and then intercepting the traffic. A little help would be appreciated.
    Edit : configured all but tc****p doesn't seem to intercept

  • edited March 2019

    Stuck on root.txt. I have a pcap from t****p and credentials for the f** server. Stuck on what to do next as there is nothing on the f** server.

    edit: Got root!!!

  • logged in to web app and stuck
    any lead?

  • edited March 2019

    Anyone able to give me a nudge?
    I'm stuck on privesc.

    Unable to login to f** server

    EDIT: After B** H********, I can finally see something in t**d****. But I have no idea what am i supposed to be looking for.

  • Can any one help me after I got login to web page? PM please


  • Great box ! Learning a lot and discover a very interesting technique.

    My tips :

    foothold : enum correctly and when you enumerate, don't miss the halt of the equation.
    And an advice that I forget too often : if you find something you don't understand, take your time and read some doc!

    user : think like the developer. If you want make the same thing, what code will you write? use burp/zap and you will find.

    root : ok, now if you don't know the attack, you need to learn it, all is on this thread.
    Take your time to learn what append, what can be do. If you don't have a knowledge of the tool, you will not find the root flag. The creator has put some hints like a real life box on the foothold, read this carefully.

  • Thanks guys for helping me out getting user.txt. Going for root.txt now :)

  • Been trying all day yesterday to get a reverse shell or any sign that RCE is working using Burp/NC, | || & && ' $, nothing seems to work/append the command... It just seems to ignore it!

    Any hints?

  • Can someone help me to exploit the RCE inside the dashboard? I've been trying to do code injection into it but I'm lost, don't know what else should I do.

    Hints or PM for help?

  • If anyone could help me with port 1*1 and login would be amazing :) Really stuck!

    I have already done enumeration (various types....) but I cannot get a thing out of that specific port.
  • For the people stuck at port enumeration, remember that you can do many kind of scan with namp, and that some ports will respond only if correctly interrogated, with the correct protocol.

    For the RCE: you must find the page where something is "running"... can you guess which command is being executed server-side and echoed inside the page? It's a really peculiar output and i am sure you have seen it many times.
    Try it on your local console, and see if you can inject something in it.

    I'm currently struggling as root. I think i got the correct attack vector, and p* a*x is chocked full of fellow users probably looking for the same thing as me. But still no luck tho, i am not sure if the b** h***** is actually working at this point.

    Any hint or PM would be really appreciated, my brain is literally melting

    And, really, this box is amazing. I'm learning a ton of stuff

  • Can anyone help me with root ? PM please


  • Hey,

    I managed to get reverse shell as root which turned out to be the user profile having user.txt
    Is everything correct? Who's the boss of root? MegaRoot? I'm confused where to go for the root flag since I'm in /root and it's not there :angry:

  • Type your comment> @Monty said:


    I managed to get reverse shell as root which turned out to be the user profile having user.txt
    Is everything correct? Who's the boss of root? MegaRoot? I'm confused where to go for the root flag since I'm in /root and it's not there :angry:

    All on same boat.. I think we should search more.


  • @killerhold said:
    All on same boat.. I think we should search more.

    I guess I'll have to put my network support hat

  • edited March 2019

    After doing the B** H*****, I managed to see something coming in to e** 2 at some interval in t****p.

    But I have no idea am i supposed to look for.

    Any hints?

  • I would be grateful for a bit of help. I'm into the control panel and trying to RCE c****k but everything I try doesn't work. Could someone please PM me some help?

  • I think I managed to do the B** thing and found the f** server, but I don't know what's happening.

    Can anybody PM and advise if I'm on the right track for root.txt?

  • I have logged in. I found the thing that shows where things run. I am drawing blank on what to do next. Can someone PM me with a nudge?

    Hack The Box
    Follow me on Twitter: @C_3PJoe

  • Nice machine @snowscan. The secretdata did make me laugh , out loud ;)

  • Hey everyone. Still new to all this. Ended up finishing the Access machine following IppSec's video and taking notes. Working on this one now and following along with his video exactly as he does. When he sets up his listener using N****t, I'm getting "listening on [any] 9001 ..." I didn't have this problem with Access when using the same N****t command. Any ideas? I need it to listen so I can get reverse shell. Everything is going fine with B**p.

  • edited April 2019

    Working on this box now? It has went down 3 times since i started my enumeration. Why?

Sign In to comment.