LaCasaDePapel

1679111224

Comments

  • oh, and if you're going via https, a particular ending character in your url WILL crash the https server, so try tr -d with what you're doing or use an online service

  • edited April 2019

    Spoiler Removed

    If you appreciate my help, please give me +1 respect :)
    https://www.hackthebox.eu/home/users/profile/113070.

  • edited April 2019

    Type your comment> @shellsmoke said:

    Finally got root, thanks to the peeps who helped me out.
    Some tips and requests:
    i used a combo of good old door and https to get user, dont believe what you see from dirs. try some other guys on the box with what you find.
    root was... frustrating. The only issue is running in to a million people which is to be expected. as others said, check out what common commands do vice what you think they should do. as soon as you get a user shell, you'll see the way forward, just dont over complicate for yourself.
    a request to those still attempting who are running in to lots of people at the same time:
    please dont be a jerk. you can get root from user without resetting the box a hundred times. and dont go around deleting a ton of files that others might need. make backups on the box before you go about doing the thing

    It was me and Sara, the three of us are waiting each other, but right next you done a scripto kiddie has arrived and we wasted a lot of time...
    If you was the one that helped me with that strange thing explaining the "magic" thank you :)

    If you appreciate my help, please give me +1 respect :)
    https://www.hackthebox.eu/home/users/profile/113070.

  • edited April 2019

    Did anyone else have trouble using the private key for b****n when trying to SSH? It keeps asking me for the password, even though I'm supplying the private key by "-i". Anyone who can help? No error message in verbose mode either.

    EDIT: smh.. just why?

  • Type your comment> @oliverlyak said:

    Did anyone else have trouble using the private key for b****n when trying to SSH? It keeps asking me for the password, even though I'm supplying the private key by "-i". Anyone who can help? No error message in verbose mode either.

    EDIT: smh.. just why?

    Maybe it isn't for b****n? There are many users on that machine

    If you appreciate my help, please give me +1 respect :)
    https://www.hackthebox.eu/home/users/profile/113070.

  • Really, really fun box ; was afraid it was going to be a bit too CTFy, but I loved the little deceptions (not trusting what was written sometimes, especially in terms of permissions/command effects/users) and rabbit holes.
    Went the HTTPS way, but would love to hear about the unintended way. My P*P skills sucks, so I've probably missed it ...
    Root was solved in 5 minutes ... after 3 or 4 hours of trying overcomplicated stuff.

    Thank you @thek , was really cool :)

  • edited April 2019

    Finally got root, however I didn't like the method very much.... User was fun though
    Thanks for the hint @Heichou

    Edit: I got user through the secure way, if possible could someone PM me about the other way?

  • im stuck on how to get a shell that is not psysh ...

  • edited April 2019

    any hep for avoid download path in LFI ?

  • edited April 2019

    Hey fellows, plz some help with priv esc. I have a ssh connection already and saw me***ed stuff, but don't know where to go now... Ty all the guys that teaches things here! You rock!

    EDIT: Holy Cow, rooted! Dance root!

    root tip: just back to basics. Files unix permissions are the knowledge needed.

  • How to do me***d priv esc. plz help me

  • edited April 2019

    Does anyone know how to stop this goddamn HTTPS port from going down every single time I try to LFI? This is absolutely infuriating; I just want to make progress and it seems like I have to reset the box every time. Any tips are completely welcome. Gonna be a thumbs down on this one for me, dog.

  • Rooted! Nice box. PM me for hints

  • Got the foothold via vulnerability from one of the port services. Now on p*y shell. Ran command to read a certain variable. I somewhat understand the contents of the variable but don't know what to do next. What do I do with the contents of the $t**** variable? Please PM me. Thank you.

  • God damn this was hard box for me ... hints here are plenty and far enough. If someone needs directions pm me.

  • Like many others I'm stuck on $t****, documentation for this seems to be hard to find for me. Can someone either give me a hint on how to proceed or recommended reading material?

    mogyub

  • Type your comment> @mogyub said:

    Like many others I'm stuck on $t****, documentation for this seems to be hard to find for me. Can someone either give me a hint on how to proceed or recommended reading material?

    Type your comment> @jumson said:

    as far as $t***o -- I found the best help was already included that environment. I've been learning how to use that language to do this box, and I simply REPL icated the functionality to get what I wanted.

  • So many people have asked me about https access, so here is the site that will give you all you need.

    https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

    Hack The Box
    Discord: AzAxIaL#8633

  • Rooted.
    PM me for hints.

  • Type your comment> @Ruri said:

    Does anyone know how to stop this goddamn HTTPS port from going down every single time I try to LFI? This is absolutely infuriating; I just want to make progress and it seems like I have to reset the box every time. Any tips are completely welcome. Gonna be a thumbs down on this one for me, dog.

    Same here. EVERY single time I try LFI, the HTTPS service crashes, so, for the moment I canno read the files I'm trying to read. I

  • Type your comment> @Kinjo said:

    Type your comment> @Ruri said:

    Does anyone know how to stop this goddamn HTTPS port from going down every single time I try to LFI? This is absolutely infuriating; I just want to make progress and it seems like I have to reset the box every time. Any tips are completely welcome. Gonna be a thumbs down on this one for me, dog.

    Same here. EVERY single time I try LFI, the HTTPS service crashes, so, for the moment I canno read the files I'm trying to read. I

    Do what I did: stop using the CLI tool on Kali for decoding/encoding. Use an online tool, like this one: https://www.base64decode.org/

    This may well immediately correct your issue.

  • edited April 2019
    You could use echo -n to omit the newline character at the end.

    Hack The Box
    Discord: AzAxIaL#8633

  • Yes!!! got user and shell. "-n" switch or coding using and online tool. Thanks! Let's go for root.

  • is it something special to take care of when you generate client certificates? i tried multiple times, and is not working... not in firefox or chrome eighter...

  • @portos060474 said:
    is it something special to take care of when you generate client certificates? i tried multiple times, and is not working... not in firefox or chrome eighter...

    If your error is : This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

    You have to generate .p12 cert :smile:

    Source : https://security.stackexchange.com/a/163200

    If you appreciate my help, please give me +1 respect
    https://www.hackthebox.eu/home/users/profile/66920

  • I generated the certificates in various modes, but, despite certificate is installed in browser i got the message: "Sorry, but you need to provide a client certificate to continue."

  • @portos060474 said:
    I generated the certificates in various modes, but, despite certificate is installed in browser i got the message: "Sorry, but you need to provide a client certificate to continue."

    PMs :)

    If you appreciate my help, please give me +1 respect
    https://www.hackthebox.eu/home/users/profile/66920

  • thanks, it's working, I missed a detail, the server certificate :)

  • edited April 2019

    can i get a nudge on root? already got the shell. maybe its me that overthinking it?

    Edit: Rooted! PM if you need help!

    Dovee

  • lacasadepapel [~]$ whoami
    root

    Happy to help fellow hackthebox'ers!

Sign In to comment.