• lost at the last stage ..... did everything correct run the exploit ... all good.
    but how or where can i use the created creds from the exploit?

    If you need help with something, PM me how far you've got already, what you've tried etc.
    Discord: MadHack#6530

  • Got the same issue. Someone who can help?

  • yes i got root!

    If you need help with something, PM me how far you've got already, what you've tried etc.
    Discord: MadHack#6530

  • Rooted. User is very easy. Root takes some creativity, but it's still fairly simple.

    I was unfamiliar with the application before attempting this box, so I had to research it first. Once I found what I needed I was able to use it to grab the root flag. There is no need for any brute force, password change, or account creation. 1 service and 1 application will give you all the access you need.

    PM for hints.

  • Finally got root, had some strange issues getting my reverse to work, although learnt a lot about the vuln!

  • If a complete noob like me can Root this machine everyone can!!!
    Feel free to ask!

  • Super frustrating, but good practice. It's hard to find the root file when you keep getting booted. I did get a shell but it get kept dying so I moved on. Anyway, for the people asking what to do after running the exploit.... the hint I give you is: "smell my butt". I was watching the log after logging in to the app to see if I could figure out what the crap was going on. It seems people keep hitting the "forgot password" link and resetting the pw for the app, not to mention doing other "strange" things. Enjoy!

  • Finally got the root.txt file! Had a real brain fart on this one but riotstar got me pointed in the right direction. It doesn't help that my Powershell skills are very rusty to say the least.
    In the end this is a fairly easy hack once you put it all together. If anyone needs a hint on how to get this done send me a PM.

  • Got user.txt but stuck on root.
    please PM me

  • Type your comment> @laughingman777 said:

    Making some progress..

    User flag: Very easy. It's actually not even protected. Look at the standard services.

    Root flag: Got root.txt. some hints that will help others. This really is an easy box. YOu may need to read about PRTG functionalities.
    1. Think like a user is probably useful in hindsight. Not to initially find out the creds. So go through your standard steps to discover cred.
    2. Read up an (obscure??) PSA regarding PRTG's exposing domain creds. That will provide a hint of where to look for a file. That will get you into the web ui.
    3. A GUI based client for the f** service makes things easier. Someone mentioned grep earlier... that is what you will need next.
    4. There's a functionality once you get in to PRTG that allows you to provide arguments... exploit it. And if you have trouble launching it after setting it up, look for the bell icon. It takes upto 2-3 mins for execution after its in queue.

    I found this to be really good guidance. I got my first User, and am so close to Root! I'm at step 4 above, and I tried it so many times, but clearly it's not working--not even my test shows up. How come everyone else gets this to work????

  • edited March 2019

    This was my first box on hackthebox, it took me a whole day, and I mean literally a whole day - even WITH HELP from an uberleet (who was very patient). When I got stuck and almost was gonna tear my hair off and jumping out of the window the person helped me to the next step.

    I dont think I would've solved this by myself, in 1 day.
    I think I would have solved this by myself in 1 week perhaps, minimum. I am really new to this, like, I had to download ftp, vsftpd, nmap. I am completly blown away by the whole process and my head feels 10/10 fried chicken nuggets and I'm done for the tonight.

    Fun fact:
    Time it took to "own user": perhaps 2h.
    Time it took to "own root": perhaps 6h.
    I was messing with metasploit, burpesuit, filezilla, reading stuff about ftp, nmap, windows commands etc and alot more.

    There's alot here to learn for a beginner. Damn. But the feeling when I got root, man, best feeling ever, and it feels so insane that something so hard, can be so incredibly easy when you know how to solve it. If I could do everything again I would've probably solve it in 20min, tops.

    If you get stuck at some point, it's OKEY to 'cheat' a little, the answer isnt gonna jump right at you if u are looking at the total wrong way, even if u do it for hours and hours. The positive thing is that you learn so much about IT-security along the way, even if you are not really making any progress with the task.

    After hours of not moving ahead, preferrably have someone point finger at where the next step could be, but you have to deserve it, and this is extreamly frustrating. Even with all the hints posted, it is hard sometimes to
    derive something informative and useful from it.

    What a fun challange tho, thanks for this!
    Best community ever.
    Good luck everyone!

  • Anyone willing to help me out?
    This is my first box on here, I got user which was easy trying to get root, I know what I need to get I just am not sure how to get it if that makes sense?

    Feel free to PM me.

  • Enjoyed the box. Got root, but my DOS injection skills are lacking. Had to drop the root.txt in plain view of anonymous ftp users. Given how often the box is reset maybe not a big issue. Any suggestions on how to inject off box would be helpful.

  • Why are people resetting this every 1 minute?

  • Damm! admins! please can you stop resetting this!

  • edited March 2019

    I got the creds im @ the admin console, but i can't get the syntax right

  • I got the creds for admins console. I'm trying to exploit the server but it's my first, it's hard. I tryed to use the exploit that use the cookies and a reverse shell with powershell but i'm doing mistakes i guess. can someone help me / pm me for root please !

  • rooted. Nice box. Things to take away ->

    • research the application more that you are attacking. It makes a difference to know what directories do what.


  • took me about 3h to figure out how to root it... but finally did it :)

  • edited March 2019

    So this is my first box. Managed to find user.txt really fast it was an obvious one. However, I got lost on the root. I did manage to find the file that throught my research should hold the password as well but I was not able to locate anything in the file that looks like a clear text password. I have been looking at it all day and with all the reverts and people breaking the box it is been hard. I just want someone who can point me to the right direction or potentially help me find where I have failed.

    Edit: I am just stupid found it now. I now realise that sleep is REALLY important!

  • How often does n***** send n************? Every time I try it gets reset, so I don't know if my script is wrong or if its because of the resets

  • I know I am overlooking the login for the web app. Ive been looking in the hidden dir logs any hint further would be appreciated. Please pm.

  • edited March 2019

    Guys I have P*** C***********.o**.b*k but I swear I don't see any plain text password, tell me if I am blind.
    Btw it is my first box and this is super fun

    Edit: nvm, I'm blind.

  • edited March 2019

    took me more than 12 hrs trying to find out on how to copy the root file, reverse shell and upload a file through the admin console/notif/***.bat, all my trials failed Please pm :anguished:

  • Netmon actually convinced me to buy VIP subscription. These constant resets were unbearable...

    If my comment somehow helped you, you can show your appreciation with a Respect :)

  • By FAR, the most annoying thing that stupidly had me going in circles for hours, was that the path you need to find credentials is not visible by default when connecting to that one port. It's there, and you can access it, but you won't see it. If you found a million articles like I did on where some plaintext things might be, trust the paths you find in your research.


  • Hello All ,
    I got user flag easily , i couldn't find path for login creds.please throw me some hints in pm.

    Thanks a lot

  • Hi team,

    I am at the point where I am able to create the n**********ns but not sure how they are triggered. If someone could please give me a hint here.


  • So happy that people stopped destroying the system for 5 min so I can get my first root.
    It was a great experience. Especially focused on understanding a service and its weakness. Liked the box even though I struggled I now know at least one more thing

  • Got user pretty easily although I messed about a bit! I'm logged into webgui, struggling to find the way forward at the minute anyone fancies PM me with a little hint of where to go next would be much appreciated!

Sign In to comment.