Vault

17891012

Comments

  • I like this Box. Found a lot of ways to upload my code, but until now no way to get it executed. I can just open and read my code. Or it is going to be interpreted as a picture by the browser. Still dont know how to avoid that.
    I will continue learning about bypasses. Already taught me a lot :)
    Thanks for such a nice Box!

  • getting shell and D*** user is easy as damn once you found the directory..took me less than 1 min to get into the ssh....but i guess from now on i'm gonna suffer..

    I Love Ice Creams

  • edited March 2019

    Can someone give me a small nudge? Do I need to enumerate 2 .php files in /s*******s ? I am not able to guess correct username/password and second file is just echoing error? Or am in wrong direction?

  • i am stuck with ovpn config ...I tried to put some config and get a reverse shell in first machine using nc pointing to the correct interface ...Can anyone help ?

    thanks

    Hack The Box

  • Atlast got the root flag ..
    Happy to help ...pm me

    Hack The Box

  • i4ni4n
    edited March 2019

    I've gotten the user.txt flag and I think I found what most are talking about in the log file but I can't seem to get much to work from it. I've got Vault's IP and it seem to only like a certain port. Not completely sure how to get this working.

    Edit: finally got into Vault. Now I'm stuck with the g** file.

    Edit: Rooted. Wow !

  • stuck at D** to V**** part, got all(?) the info(history lesson,123), I think I understand the main idea but don't know how to do that.
    Can anyone help?

    Hack The Box

  • rooted couple of days ago, was an interesting box for me, I recommend it for folks preparing for OSCP.

  • If someone could PM me with a hint on the move from D** to V**** it'd be much appreciated. I cannot seem to find the log file that people here are talking about and I feel like I'm missing something obvious

  • Hi all,

    Am stuck. I've managed to login to D*** and now trying to pivot. I've setup tunneling and now trying to get callback from o*** but nothing I do seems to work. Also I've tried to login to V** service but no luck.

    Can someone please give me a tip ? I've read through this topic twice :(

    Cheers!

  • Got user and root today, amazing box for learning how to pivot. Had me doing lots of googling but all worth it. Learnt a lot :) I liked the touch of GPG :P Made you practice exfiltration

  • edited March 2019

    Type your comment> @sk41 said:

    Thanks @clmtn for the help! I am on the right track, but it seems that the website functionality to update the *.**pn file is not working properly (on eu-free)..frustrating.

    Hi,
    that Comment made me thinking.. I am on EU-VIP-15, but am stuck at the *.**pn part. I made a "dynamic" Tunnel, to access the thing where i can play with the *.**pn file. But "Update file" always hangs.
    Is it a problem i need to solve myself or is that supposed to work and just broken? Please help!

  • Well.. got a connection and the userflag. But not sure if it was the intended way. Can i PM someone about that?

  • Type your comment> @Timuuh said:

    Type your comment> @sk41 said:

    Thanks @clmtn for the help! I am on the right track, but it seems that the website functionality to update the *.**pn file is not working properly (on eu-free)..frustrating.

    Hi,
    that Comment made me thinking.. I am on EU-VIP-15, but am stuck at the *.**pn part. I made a "dynamic" Tunnel, to access the thing where i can play with the *.**pn file. But "Update file" always hangs.
    Is it a problem i need to solve myself or is that supposed to work and just broken? Please help!

    After several resets on the machine, so the function is supposed to work and just broken.
    But I saw you got the connection, and userflag. Congratz! :)

  • I wouldn't mind comparing some notes with other people who have finished this box. What tools do you use for pivots? I personally can't stand the SSH syntax!

  • hey folks,
    can someone give me a hint how to do a file tranfser from v***? I'm pretty shure I have everything to get root flag but I'm going crazy on how to transfer the key.

    if anybody needs help up to this point feel free to ask.

    "Respect to whom respect is due."
    Twitter: https://twitter.com/0x4242 | Web: http://0x4242.net
  • Very challenging box! Very real life. Reminds me of good old OSCP. Thanks to @sk41 and @RyanW18 for helping me on the very last step. Me brainfarting it.

    Hack The Box

  • Type your comment> @DrDingDong said:

    Very challenging box! Very real life. Reminds me of good old OSCP. Thanks to @sk41 and @RyanW18 for helping me on the very last step. Me brainfarting it.

    No worries mate, I agree very good box :)

  • Type your comment> @0x29A said:

    For example, if someone wasted six hours digging through an ISO, maybe they'll think twice about doing that again next time they run across one and mark it low priority. Maybe they'll take note about what the ISO contains (could be a hint) and just continue on. Maybe they'll learn how to md5 or sha1 the ISO file and see if it's a stock image. If it's not, maybe they'll learn how to diff the ISO file with a stock ISO so they aren't forced to dig around the entire thing.

    Similar lessons may be learned from just about any rabbit hole.

    Look at IppSec's videos and how quickly he dismisses most rabbit holes. You think he does that in practice? I do. How do you think he learned such intuition?

    Regarding things like login rabbit holes: at each layer in the hacking process, you should follow the standard steps. The first being recon. For example if you see a login form half way through your recon process and you immediately start hitting it with a brute force, you've just violated modus operandi. It's not until that doesn't even work that you continue your recon...so why not have continued that in the first place in order to gather all of the puzzle pieces? I like to call them "dots." Once you have all the dots, you'll have the beginning of your attack surface graph. You can start performing more systematic research on each of their attack vectors, forming relationships with other dots, and determine routes to your final goal. Finally, you can map out the shortest cost, least noisy, shortest path, etc to reach your goal. Most, if not all, of the rabbit holes at this point will be obvious in your graph.

    Learning how to be pragmatic and how to frame your problems accordingly may not always save you time, but it will save you the headache of guessing and working with unknowns and eventually dissolve your reliance on script kiddie tools and methodologies. Most importantly (imho), it will make you quieter in real life encounters.

    Edit: Slightly off-topic rant: To all of the cheaters out there: This is a learned skill. A talent. An art. And it's required. If you request help from someone and they provide a spoiler, either discard it or learn from it, don't live by it, and certainly don't pass it on. If you must (e.g. team member, close friend, or something), explain to them what you learned from it rather than just copying & pasting the solution, because that does neither party any good. Plus, spending the extra ten minutes it takes to digest the solution and explaining it to yourself and then to your friend will totally be worth it, trust me. For example: Someone asked me for help on a simple binary exploitation. I could've just pasted him my ~50 byte payload and maybe tried to answer some questions following that, but instead I took 20 minutes out of my day and wrote a fairly detailed write-up specifically for him on how it was done. It taught him how to do it, I learned a couple things merely explaining each individual step, and if he ends up sharing it, so be it... there's no copy & paste solution, just reading material for others. Sure there's a leader board, but we don't -- shouldn't be measuring epeens here, we're all intellectuals. We should all think of ourselves as students and teachers. Do your part in the community. Learn together!

    This is gold!!!

  • Got Root, great box, my first taste of pivoting.. really enjoyed it... thanks heaps @nol0gz
  • edited March 2019

    Stuck on initial foothold. I've enumerated up to /s********/d*****/u******, but it 403's.. I've used dirsearch and gobuster both with multiple wordlists looking for .php/html/txt files and i"m not finding anything..

    A previous tip mentioned something about VIP users trying a different server, I've tried 2.

    I would appreciate a hint/nudge. Forum or PM.

    Much appreciated!

    edit: Got it, thanks!

  • tough box, learned a lot. one of my favorite so far on HTB.

  • any pointers on this gp* file ? PM?

  • @Lycist I'm in the same boat -- can you PM me with a nudge in the right direction? (If nothing else, I'd like to know if one of the things I've found -- which has now disappeared entirely -- is a red herring or if I should chase it down.)

  • have user and root txt but i could bypass the rbash on vault. Wanted to play a little with the box. If anyone got the rbash bypass on vault of dave, please PM me or let me know.
    Thanks

    sentry

  • edited March 2019

    Got in the initial box but cant escape the shell, not sure if i should continue to enumerate or waste my time trying to escape the shell. The no stdout is super annoyign and im pretty sure i need TTY commands. Can anyone help out? DM me

    EDIT: figured the shell stuff now At .O*** but cant figure out how to pivot into DNS

    EDIT2: FINALLY ROOTED! Got stuck on trying the wrong thing too many times. Everything is in the logs. Understand what you're doing, the file decryption is easy.

    PM me if you need any hints

    Did anyone bypass rbash? i didnt need it for root flag but curious what you did, also willing to exchange notes with anyone? I have pretty bad notes but im curious to see what others did.

  • Finally got ROOT!! yeah!
    The Matrioska style is soo fun!

    See Ya!
    0xdebe

  • edited March 2019

    I'm on day 2 of trying to upload a reverse shell to the the o**n configurator. I've tried every thing that makes sense and nothing works, I'm ready to ask for help. I read the article on ovpn command injection from Tenable and I know you can't just copy/paste his conf because the quotes are not real quotes, the IP needs to be changed, and 'nobind' has to be in it.

    Literally any input I put in the configurator returns "executed successfully" so I cant tell if anything I'm doing is working.

    I replaced the 'up ' line with a simple wget back to the main machine, no luck, no injection. Yes, I included the nobind argument in my conf. I can't imagine wtf the next step is, but if this VPN thing is a red herring I'm going to flip the f*** out.

    Can anyone please pm me hint for this part?

  • edited March 2019

    Okay I just got RCE on D** on my own. Best advice I can give to anyone that spent as long as I did on it: make sure the .o**n file actually works on your own system 100% before you POST it. DO NOT COPY/PASTE from web. Also, get super familiar with netcat flags and the differences between openbsd and traditional and which version you are using. Specifically, the -s and -p flags.

  • edited March 2019

    I finally finished it and I learned 2 huge things.

    1 - I did not know about the o*****n injection threat. That's an eye opener because I've been using those files all willy nilly for a long time. That article was published in 2018.

    2 - Red Hat S***e Definitely going to be using that instead of VNC from now on.

    For everyone saying view the logs, I can tell you I beat this without reading a single log, although reading the logs will lead down a successful path as well. I'd wager there is another way to do it without ever having to pwn any of the VMs at all, involving doing a loop mount. Didn't confirm that.

    If you want to exfiltrate the way I did it, think really hard about the i********s file on D*S, and what it's keeping you from. You'll also have to know about #2 above.

    Hell of a box! I thoroughly enjoyed it and learned a lot! Paying respect to @nol0gz.

Sign In to comment.