Vault

I wouldn’t mind comparing some notes with other people who have finished this box. What tools do you use for pivots? I personally can’t stand the SSH syntax!

hey folks,
can someone give me a hint how to do a file tranfser from v***? I’m pretty shure I have everything to get root flag but I’m going crazy on how to transfer the key.

if anybody needs help up to this point feel free to ask.

Very challenging box! Very real life. Reminds me of good old OSCP. Thanks to @sk41 and @RyanW18 for helping me on the very last step. Me brainfarting it.

Type your comment> @DrDingDong said:

Very challenging box! Very real life. Reminds me of good old OSCP. Thanks to @sk41 and @RyanW18 for helping me on the very last step. Me brainfarting it.

No worries mate, I agree very good box :slight_smile:

Type your comment> @0x29A said:

For example, if someone wasted six hours digging through an ISO, maybe they’ll think twice about doing that again next time they run across one and mark it low priority. Maybe they’ll take note about what the ISO contains (could be a hint) and just continue on. Maybe they’ll learn how to md5 or sha1 the ISO file and see if it’s a stock image. If it’s not, maybe they’ll learn how to diff the ISO file with a stock ISO so they aren’t forced to dig around the entire thing.

Similar lessons may be learned from just about any rabbit hole.

Look at IppSec’s videos and how quickly he dismisses most rabbit holes. You think he does that in practice? I do. How do you think he learned such intuition?

Regarding things like login rabbit holes: at each layer in the hacking process, you should follow the standard steps. The first being recon. For example if you see a login form half way through your recon process and you immediately start hitting it with a brute force, you’ve just violated modus operandi. It’s not until that doesn’t even work that you continue your recon…so why not have continued that in the first place in order to gather all of the puzzle pieces? I like to call them “dots.” Once you have all the dots, you’ll have the beginning of your attack surface graph. You can start performing more systematic research on each of their attack vectors, forming relationships with other dots, and determine routes to your final goal. Finally, you can map out the shortest cost, least noisy, shortest path, etc to reach your goal. Most, if not all, of the rabbit holes at this point will be obvious in your graph.

Learning how to be pragmatic and how to frame your problems accordingly may not always save you time, but it will save you the headache of guessing and working with unknowns and eventually dissolve your reliance on script kiddie tools and methodologies. Most importantly (imho), it will make you quieter in real life encounters.

Edit: Slightly off-topic rant: To all of the cheaters out there: This is a learned skill. A talent. An art. And it’s required. If you request help from someone and they provide a spoiler, either discard it or learn from it, don’t live by it, and certainly don’t pass it on. If you must (e.g. team member, close friend, or something), explain to them what you learned from it rather than just copying & pasting the solution, because that does neither party any good. Plus, spending the extra ten minutes it takes to digest the solution and explaining it to yourself and then to your friend will totally be worth it, trust me. For example: Someone asked me for help on a simple binary exploitation. I could’ve just pasted him my ~50 byte payload and maybe tried to answer some questions following that, but instead I took 20 minutes out of my day and wrote a fairly detailed write-up specifically for him on how it was done. It taught him how to do it, I learned a couple things merely explaining each individual step, and if he ends up sharing it, so be it… there’s no copy & paste solution, just reading material for others. Sure there’s a leader board, but we don’t – shouldn’t be measuring epeens here, we’re all intellectuals. We should all think of ourselves as students and teachers. Do your part in the community. Learn together!

This is gold!!!

Got Root, great box, my first taste of pivoting… really enjoyed it… thanks heaps @nol0gz

Stuck on initial foothold. I’ve enumerated up to /s********/d*****/u******, but it 403’s… I’ve used dirsearch and gobuster both with multiple wordlists looking for .php/html/txt files and i"m not finding anything…

A previous tip mentioned something about VIP users trying a different server, I’ve tried 2.

I would appreciate a hint/nudge. Forum or PM.

Much appreciated!

edit: Got it, thanks!

tough box, learned a lot. one of my favorite so far on HTB.

any pointers on this gp* file ? PM?

@Lycist I’m in the same boat – can you PM me with a nudge in the right direction? (If nothing else, I’d like to know if one of the things I’ve found – which has now disappeared entirely – is a red herring or if I should chase it down.)

have user and root txt but i could bypass the rbash on vault. Wanted to play a little with the box. If anyone got the rbash bypass on vault of dave, please PM me or let me know.
Thanks

Got in the initial box but cant escape the shell, not sure if i should continue to enumerate or waste my time trying to escape the shell. The no stdout is super annoyign and im pretty sure i need TTY commands. Can anyone help out? DM me

EDIT: figured the shell stuff now At .O*** but cant figure out how to pivot into DNS

EDIT2: FINALLY ROOTED! Got stuck on trying the wrong thing too many times. Everything is in the logs. Understand what you’re doing, the file decryption is easy.

PM me if you need any hints

Did anyone bypass rbash? i didnt need it for root flag but curious what you did, also willing to exchange notes with anyone? I have pretty bad notes but im curious to see what others did.

Finally got ROOT!! yeah!
The Matrioska style is soo fun!

I’m on day 2 of trying to upload a reverse shell to the the o**n configurator. I’ve tried every thing that makes sense and nothing works, I’m ready to ask for help. I read the article on ovpn command injection from Tenable and I know you can’t just copy/paste his conf because the quotes are not real quotes, the IP needs to be changed, and ‘nobind’ has to be in it.

Literally any input I put in the configurator returns “executed successfully” so I cant tell if anything I’m doing is working.

I replaced the ‘up ’ line with a simple wget back to the main machine, no luck, no injection. Yes, I included the nobind argument in my conf. I can’t imagine wtf the next step is, but if this VPN thing is a red herring I’m going to flip the f*** out.

Can anyone please pm me hint for this part?

Okay I just got RCE on D** on my own. Best advice I can give to anyone that spent as long as I did on it: make sure the .o**n file actually works on your own system 100% before you POST it. DO NOT COPY/PASTE from web. Also, get super familiar with netcat flags and the differences between openbsd and traditional and which version you are using. Specifically, the -s and -p flags.

I finally finished it and I learned 2 huge things.

#1 - I did not know about the o*****n injection threat. That’s an eye opener because I’ve been using those files all willy nilly for a long time. That article was published in 2018.

#2 - Red Hat S***e Definitely going to be using that instead of VNC from now on.

For everyone saying view the logs, I can tell you I beat this without reading a single log, although reading the logs will lead down a successful path as well. I’d wager there is another way to do it without ever having to pwn any of the VMs at all, involving doing a loop mount. Didn’t confirm that.

If you want to exfiltrate the way I did it, think really hard about the i********s file on D*S, and what it’s keeping you from. You’ll also have to know about #2 above.

■■■■ of a box! I thoroughly enjoyed it and learned a lot! Paying respect to @nol0gz.

I’m logged into D** as r***, trying to find a way to pivot to V****. I have searched every file on the system with a .log extension and many other .conf files etc. I cannot find any useful information which people are describing here. Can somebody confirm that the logs are on D** box and maybe point me in the right direction?

EDIT: I found the “log” that everyone was talking about… I’m having problems pinging V****'s IP address… do I need to modify r****s configured in i**s to bypass fl?

Can someone please help me out with that o*** file? I am stuck at this point for two days. Most of the time the page just loads infinitely…

edit: nvm, finally got the root flag. not sure how to get a root shell, though

The finishing touches on this box were wonderful, finally using a thing discovered a long time earlier. I learned several new concepts, big props to @nol0gz for putting together such a great box.

Hello People! Please could someone help me with RCE . I have file upload but need a nudge. I can see my upload but wondering if the file I created was correct and if my cmd’s are correct. Thanks